[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bidding down attach on NAT-T


Francis Dupont <Francis.Dupont@xxxxxxxxxxxxxxxx> writes:

> => I believe you missed the fact I didn't try to make NAT traversal
> secure (I clearly wrote I believe it is near impossible): you are
> in my side, i.e., you consider that NAT traversal has an untrackable
> security issue with attackers which behave like NATs.

While I agree that peers should not use NAT-T if there is no NAT
between them, I do think that NAT-T support should be required.
You never know when there will be a NAT between you and your peer.

Note that you CAN securely detect a NAT (and I consider a pseudo-NAT
to be equivalent to a NAT in this sense) because the IKE messages are
secured.  So the only real attack is some router performing NAT on you
-- but that router could just as easily drop your packets too, so I
don't think this is a credible threat.

Personally, I feel that being able to use IPsec through a NAT is more
important than worrying about some router dropping your packets or
trying to re-NAT you.

> Regards
> Francis.Dupont@xxxxxxxxxxxxxxxx


       Derek Atkins
       Computer and Internet Security Consultant
       derek@xxxxxxxxx             www.ihtfp.com