[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bidding down attach on NAT-T
Francis Dupont <Francis.Dupont@xxxxxxxxxxxxxxxx> writes:
> => I believe you missed the fact I didn't try to make NAT traversal
> secure (I clearly wrote I believe it is near impossible): you are
> in my side, i.e., you consider that NAT traversal has an untrackable
> security issue with attackers which behave like NATs.
While I agree that peers should not use NAT-T if there is no NAT
between them, I do think that NAT-T support should be required.
You never know when there will be a NAT between you and your peer.
Note that you CAN securely detect a NAT (and I consider a pseudo-NAT
to be equivalent to a NAT in this sense) because the IKE messages are
secured. So the only real attack is some router performing NAT on you
-- but that router could just as easily drop your packets too, so I
don't think this is a credible threat.
Personally, I feel that being able to use IPsec through a NAT is more
important than worrying about some router dropping your packets or
trying to re-NAT you.
Computer and Internet Security Consultant