[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC Security Gateways & NAT

To: "'Derek Atkins'" <warlord@mit.edu>
Subject: RE: IPSEC Security Gateways & NAT
From: "Chen, David" <dchen@ellacoya.com>
Date: Fri, 15 Jun 2001 10:21:37 -0400
Cc: "'Dan Harkins'" <dharkins@lounge.org>, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Derek,

Consider the case: 
host<->NAT-WG<==>SG (responder)

The NAT device changes all the SourceIP address to its own
visible SrouceIP address.

Since it is possible have several hosts are IKE initiator,
it seems the IKE has to accept as many as messages
the initiator sent with the same SIP address.

The DOS attacker can using the same IP address and
sending lots of 1 and 3 IKE messages to
SG (with *HDR* variations)?

Regards,

--- David

-----Original Message-----
From: Derek Atkins [mailto:warlord@mit.edu]
Sent: Thursday, June 14, 2001 4:51 PM
To: Chen, David
Cc: 'Dan Harkins'; ipsec@lists.tislabs.com
Subject: Re: IPSEC Security Gateways & NAT

"Chen, David" <dchen@ellacoya.com> writes:

> Derek,
> Derek,
> 
> For aggress mode, the first message from responder will have the DH-key?

We were talking about Main Mode, not "aggress" [sic] mode.  I don't know
enough about the properties of Aggressive Mode to fully reply, but as
that wasn't the original discussion, I don't think it's apt.  Besides,
any host that is under an attack should back off aggressive mode and
require a "resend with cookie" from any initiator.

> Aslo, if initiator's IP address is meaningfull (without linking to an auth
> method)
> then it may not a good idea let IKE traverse through NAPT devices.

The address isn't meaningful per se.  It's meaningful to meet
the reachability requirement.  All I know from the IP Address
is that if I (responder) receive a valid message 3, then I know
that I've got a reachable IP Address.  In other words, this is
the same IP Address that contacted me with a message 1.

All a NAPT device implies is that there could be any number of
real hosts behind the NAPT device that is the bad guy.  The responder
can't tell, and neither can their network provider.  So, you just
boink the whole network behind the NAPT device.  No big loss.

> Regards,
> 
> --- David

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

Follow-Ups:

Re: IPSEC Security Gateways & NAT

From: Derek Atkins <warlord@mit.edu>

Prev by Date: Re: [MSEC] Re: multicast authentication using AH
Next by Date: Re: IPSEC Security Gateways & NAT
Prev by thread: Re: IPSEC Security Gateways & NAT
Next by thread: Re: IPSEC Security Gateways & NAT
Index(es):
- Main
- Thread