[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPSEC Security Gateways & NAT
Derek,
What I mean is, in order to traverse NAT, the responder has
to respond a potential attacker that (may not behind NAT)
initiates lots of (different) message1 and 3 by using only one
SIP and different source port number.
After this,
the attacker still get the responder busy at DH key generation? (message 4)
Regards,
--- David
-----Original Message-----
From: Derek Atkins [mailto:warlord@MIT.EDU]
Sent: Friday, June 15, 2001 12:25 PM
To: Chen, David
Cc: 'Dan Harkins'; ipsec@lists.tislabs.com
Subject: Re: IPSEC Security Gateways & NAT
"Chen, David" <dchen@ellacoya.com> writes:
> Derek,
>
> Consider the case:
> host<->NAT-WG<==>SG (responder)
>
>
> The NAT device changes all the SourceIP address to its own
> visible SrouceIP address.
Yes, but each host behind the NAT device will have a unique port
number on the NAT device.. Let's say we have:
host1\
host2 +-<=> NAT <=> SG (responder)
host3/
The SG will still see three unique addr/port pairs (because the NAT
box will map host1/500 to NAT_ext/port1, host2/500 to NAT_ext/port2,
etc). So the SG can still assign cookies individually.
> Since it is possible have several hosts are IKE initiator,
> it seems the IKE has to accept as many as messages
> the initiator sent with the same SIP address.
No, because the responder should generate a cookie based upon the
source ip address _AND PORT_ obtained in message 1 (indeed, it could
also be based on the initiator cookie, but that doesn't buy the
responder much). As I just pointed out, the responder can still
uniquely identify the individual initiators behind the NAT gateway
based upon the unique port numbers. So an attacker would still have
to present the correct cookie in message 3 based upon the port number
the NAT box gives it.
> The DOS attacker can using the same IP address and
> sending lots of 1 and 3 IKE messages to
> SG (with *HDR* variations)?
If an attack exists here, NAT doesn't help (or hurt). If an initiator
can send multiple message-3 requests based on a single message-1
cookie, then such an attack exists regardless of whether or not NAT is
being used. There is a simple remedy to this attack:
a) base the responder cookie on:
i) the source ip address
ii) the source port
iii) the initiator cookie
b) cache the message 4 response to message 3
Then if you get a 'duplicate' message 3 (where 'duplicate' means same
same initiator/responder cookies) and the responder cookie verifies,
the responder need only re-send the message 4 response without any
additional work. Similarly, if the responder cookie does not verify,
then something changed and the message can be dropped summarily.
Using NAT doesn't change this behavior, and it still works fine.
Indeed, this protection mechanism will still work, too.
The only problem you have with NAT (in terms of DoS attacks) is that
if one host is spewing tons of message-1's to a SG, you cannot figure
out that it is host2 vs. host1, so you have to throttle ALL hosts
behind the NAT box.
> Regards,
>
> --- David
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
Follow-Ups: