[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (NAT) Re: Interactions between IPSEC and NAT

To: ipsec@tis.com
Subject: Re: (NAT) Re: Interactions between IPSEC and NAT
From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Date: Wed, 04 Feb 1998 19:55:56 -0500
CC: vinodv@microsoft.com
In-reply-to: Your message of "Wed, 04 Feb 1998 16:25:03 PST." <5CEA8663F24DD111A96100805FFE658701FDE81E@red-msg-51.dns.microsoft.com>
Sender: owner-ipsec@ex.tis.com

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "Vinod" == Vinod Valloppillil <vinodv@microsoft.com> writes:

    >>> HTTPS through a NAT, for example, is perfectly reasonable

    >> HTTPS doesn't embed things like ports into the communications stream,
    >> so it can be NATed. SSL is the security layer HTTPS uses, but SSL !=
    >> HTTPS -- other protocols over SSL will not behave so nicely.

    Vinod> But my example of HTTPS through NAT is a case where you both both
    Vinod> NAT features and end-to-end security.  My point was to demonstrate
    Vinod> the independance of IP addr/ports from end-end security.  - To

  HTTPS is HTTP over SSL over TCP.
  So, with HTTPS you get all of the normal denial of service attacks you
would expect to see with TCP:
	- SYN flooding
	- sequence number prediction
	- RST on ports
	- Adjustment of windows so that no data flows
	- replay of TCP segments with "new" segment numbers (probably
	causing SSL's MAC to abort the HTTPS transfer, while IPsec would
	just assume the packet got lost and TCP would retransmit)

  IPsec tries to defend against all of these. Whether or not ISAKMP's cookie
mechanism is strong enough to deal with these attacks has been disputed by a
couple of well known people, but, assuming that it isn't strong enough,
we can replace (or rev) ISAKMP much easier than we can rev the wire format
of the packets.

   :!mcr!:            |  Sandelman Software Works Corporation, Ottawa, ON  
   Michael Richardson |Network and security consulting and contract programming
 Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
 Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>. 

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNNkOEdiXVu0RiA21AQE7dgMAg0E8nkXygRiIjJvOQoM1V1c70+3oDMUm
Rg224SBD+U1/vL54Gdq+YpXUY0EUIndtg8udfHmcJuuCXksE2c5U95HsX7qcVbB2
vaxRdUWEOdVpDDbZXpTHzRjpaA5RkKhP
=MzxX
-----END PGP SIGNATURE-----

Prev by Date: Re: (NAT) Re: Interactions between IPSEC and NAT
Next by Date: Re: (NAT) Re: Interactions between IPSEC and NAT
Prev by thread: Re: (NAT) Re: Interactions between IPSEC and NAT
Next by thread: Re: (NAT) Re: Interactions between IPSEC and NAT
Index(es):
- Main
- Thread