[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC Security Gateways & NAT
"Chen, David" <dchen@ellacoya.com> writes:
> Derek,
>
> The trouble is the responder can not tell
> if this an attack or just lots of users behind the
> same NAT try to connect at the same time.
>
> In addition, the DDOS can have many SIP attack at the same time.
> Even throttle on a address, it does not help to prevent using
> many SIP addresses attack.
I think this is just a problem with IKE in general. Let's not start
mixing apples with oranges here. This conversation started on NAT
traversal, and now is moving into general IKE DDoS protection.
As I've said, NAT does not (IMHO) add any additional attacks
that aren't already available without NAT.
> For message 1 and 2, the attacker and resonder will use (appx.) equal
> resource but message 3,4 is the attacker's goal, and it still
> be able do this.
Yes, but if an attacker at IP address X sends me several bogus
"message 3" messages, or lots and lots of transactions, I can just
blacklist that host.
> Maybe initiator's IP address need to link with auth?
Maybe. Maybe not. Certainly in the end of the process we have an
authentication of the endopoint, although not necessarily the IP
Address. Consider that a road-warrior practically NEVER has the same
IP address, so authenticating the IP Address is meaningless.
The question is: what attacks are you trying to protect against?
What's your threat model? Considering IKE is already subject to
DDoS attacks, I would suggest that if you consider DDoS a major
threat, you need to fix IKE in that way. However that has nothing
to do with IKE NAT Traversal.
> --- David
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
References: