[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC Security Gateways & NAT

To: "'Derek Atkins'" <warlord@mit.edu>
Subject: RE: IPSEC Security Gateways & NAT
From: "Chen, David" <dchen@ellacoya.com>
Date: Mon, 18 Jun 2001 15:40:20 -0400
Cc: "'Dan Harkins'" <dharkins@lounge.org>, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Derek,

Here is my observation:

In order let IKE packets traverse through NAT, 
the responder has to respond udp port number other than 500.
For DOS attacker, he gains more attacking messages from a single address.
In addition, as long as responder drop some real user's IKE messages
(due to the mixing of real and attacked messages and throttling/blocked
 this same SIP of NAT device)
 the DOS attack is successfully denying others valid access to the 
responder. (although not as disaster as the responder is brought down).

if no NAT allowed, the responder will only respond to udp port 500,
Furthermore, the responder sure can block (not throttle) the SIP since it
represents only one initiator (and is the attacker)  

Since the initiator's IP address could be the only id before DH-key
exchange,
it seems can help to reduce DOS attack? 
(by using pre-shared key to auth this ip-address before DH-key exchange)

If this is the case, when traversing trough NAT, 
then tunneling IKE by encapsulating yet another UDP is a good method?

Regards,

--- David

-----Original Message-----
From: Derek Atkins [mailto:warlord@MIT.EDU]
Sent: Monday, June 18, 2001 2:22 PM
To: Chen, David
Cc: 'Dan Harkins'; ipsec@lists.tislabs.com
Subject: Re: IPSEC Security Gateways & NAT

"Chen, David" <dchen@ellacoya.com> writes:

> Derek,
> 
> The trouble is the responder can not tell
> if this an attack or just lots of users behind the 
> same NAT try to connect at the same time.
> 
> In addition, the DDOS can have many SIP attack at the same time.
> Even throttle on a address, it does not help to prevent using
> many SIP addresses attack.

I think this is just a problem with IKE in general.  Let's not start
mixing apples with oranges here.  This conversation started on NAT
traversal, and now is moving into general IKE DDoS protection.

As I've said, NAT does not (IMHO) add any additional attacks
that aren't already available without NAT.

> For message 1 and 2, the attacker and resonder will use (appx.) equal 
> resource but message 3,4 is the attacker's goal, and it still
> be able do this. 

Yes, but if an attacker at IP address X sends me several bogus
"message 3" messages, or lots and lots of transactions, I can just
blacklist that host.

> Maybe initiator's IP address need to link with auth?

Maybe.  Maybe not.  Certainly in the end of the process we have an
authentication of the endopoint, although not necessarily the IP
Address.  Consider that a road-warrior practically NEVER has the same
IP address, so authenticating the IP Address is meaningless.

The question is: what attacks are you trying to protect against?
What's your threat model?  Considering IKE is already subject to
DDoS attacks, I would suggest that if you consider DDoS a major
threat, you need to fix IKE in that way.  However that has nothing
to do with IKE NAT Traversal.

> --- David

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

Follow-Ups:

Re: IPSEC Security Gateways & NAT

From: Derek Atkins <warlord@mit.edu>

Prev by Date: Re: IPSEC Security Gateways & NAT
Next by Date: Re: IPSEC Security Gateways & NAT
Prev by thread: Re: IPSEC Security Gateways & NAT
Next by thread: Re: IPSEC Security Gateways & NAT
Index(es):
- Main
- Thread