[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NAT-Traversal - Security Considerations
I'm wondering myself about problems (one with Transport Mode, the other
with Tunnel Mode) that can affect NAT-Traversal.
draft-ietf-ipsec-udp-encaps-02 deals with conflict problems but (i think)
there are also problems that can occured with only one IPSec Client.
o Transport Mode
+-----+
| M |
+-----+\
\
+----+ \ / +-----+
+| WS |-----+-----------------| S |
+|+----+ / \ +-----+
|+----+ NAT
+----+
Math (M) is behind NAT and establish an SA with Server (S) using
a specific Trafic Descriptor (TS).
After that, S will send all packets for NAT and selected by TS
(everything in many implementations and configurations) to M.
This can cause a denial of service as Workstations (WS) and NAT
device will not be able to communicate with Server (S) anymore.
There is also confidentiality considerations as Math will receive
packets that are not for him.
Am I right or is there a solution to avoid this problem as many
implementations will use the SA for every packet from S to NAT ?
o Tunnel Mode
+-----+
+------| VIM |
NAT | +-----+
+-----+ \ / +----+
| M |-----+------+------| GW |
+-----+ / \ | +----+
| | +----+
| +------| IS |
+--+--+ +----+
| S |
+-----+
Math (M) is behind NAT and establish an SA with Gateway (GW) using a
specific Trafic Descriptor (TS). Using Tunnel Mode, Math will normally
use his private IP address but can also used a spoofed one: Server (S)
or VeryImportantMachine (VIM).
After that, all packet for S or VIM (according to TS) will be sent to
M via UDP encapsulated tunnel. Even packets from Internal Server (IS)
to VIM will be sent to Math.
This can be used by a malicious user to steal packets for VIM or to
deny communication with S.
Am I right or am I missing something ?
How GW can decide if Math's IP is valid and is not a spoofed one ?
--
Mathieu Lafon - Arkoon Network Security