[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal - Recovering from the expiring NAT mappings

To: michaell@servgate.com (michael lin)
Subject: Re: NAT Traversal - Recovering from the expiring NAT mappings
From: Tero Kivinen <kivinen@ssh.fi>
Date: Wed, 15 May 2002 16:20:39 +0300
CC: <ipsec@lists.tislabs.com>
Organization: SSH Communications Security Oy
References: <605C42246151B7498423278ED555306F04C05A@skat.sky.com>
Sender: owner-ipsec@lists.tislabs.com

michaell@servgate.com (michael lin) writes:
> In draft-ietf-ipsec-nat-ike-02.txt, it said
> 
> There are cases where NAT box decides to remove mappings that are still
> alive (for example, the keepalive interval is too long, or the NAT box is
> rebooted). To recover from those ends which are NOT behind NAT SHOULD use
> the last valid authenticated packet from the other end to determine which IP
> and port addresses the should be used. The host behind dynamic NAT MUST NOT
> do this as otherwise it opens DoS attack possibility, and there is no need
> for that, because the IP address or port of other host will not change (it
> is not behind NAT).
> 
> I cannot fully understand. Suppose following:
> 
> A --- NAT --- Internat --- B
> 
>       1.1.1.1 port x ----->
>       1.1.1.1 port x ----->
>       1.1.1.1 port x ----->               (LAST packet)
> 
>       reboot
> 
>       1.1.1.2 port y ----->               (NEXT packet)

This packet is received by the host B, and authenticated, and then it
is processed normally. Note, that for incoming case we do not care the
source IP. After the authentication check it will become the LAST
authenticated packet received. 

> If the NEXT packet (source IP 1.1.1.2 and port y) passes the authentication
> check, B will know the A's IP and port have been changed, right?

Yes. And after that whenever it is sending packets back it needs to
use the source address of the last authenticated packet received from
the other as a destination address where to send the packets. 

> But in the draft, it said "the LAST valid authenticated packet".
> What does it mean? Why is it NEXT packet, but LAST packet?

Because this is needed for sending the replies back, thus we use the
last authenticated packet in. The on transit incoming packet does not
matter, if we haven't yet seen and authenticated it, and once we have
received and authenticated it, then it is the last packet. 

> And since the source IP and port could be changed, does it mean B don't need
> to check source IP and port? If the packet passes authentication check, the
> packet is coming from the right source.

Yes, B does not check the source IP and port, only the destination IP
and port matters and then we do normal authentication checks, but to
send replies back to the proper A we need the destination address and
port for the A, and those MUST be taken from the last authenticated
packet received from the A. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:
- NAT Traversal - Recovering from the expiring NAT mappings
  - From: michael lin <michaell@servgate.com>

Prev by Date: Re: Specification of tunnel/transport attribute in IKEv2
Next by Date: Re: JFK nit
Prev by thread: NAT Traversal - Recovering from the expiring NAT mappings
Next by thread: NAT Traversal - Manual key remote user
Index(es):
- Date
- Thread