[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: peer address protection and NAT Traversal
Jayant Shukla wrote:
A better solution IMHO would be:
To 100% protect against the attack mentioned by Francis if NAT vendors
put a mechanism by which those behind the NATs can query the NAT WAN
interface address. Then the devices behind NAT can compare this address
with the perceived address by the remote sites (echoed back securely)
and completely neutralize these attacks. This is true only if there is
one NAT in-between and I think it is true for majority of cases.
This won't work because an underlying assumption, with me anyway,
is that NATs are 'hostile'. They won't tell you anything of this
sort, and even if you made a new RFC about it, no previously existing NAT
would still do it.
Ari
--
I play it cool and dig all jive,
that's the reason I stay alive.
My motto as I live and learn,
is dig and be dug in return. <Langston Hughes>
Ari Huttunen phone: +358 9 2520 0700
Software Architect fax : +358 9 2520 5001
F-Secure Corporation http://www.F-Secure.com
F(ully)-Secure products: Securing the Mobile Enterprise