[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT-Traversal - Security Considerations
As I (now) understand it, we must apply NAT to NAT-T packets
using Transport Mode or we create a blackhole between the
Responder and the NAT device.
As it is not obvious (tell me if I'm the only one for who it was
not obvious) and can cause DoS, even with normal use, implementors
should be explicitely warned.
By example :
Implementors are warned that NAT SHOULD be applied to packets
received using Transport Mode encapsulation when the sender is
behind a NAT device.
Without NAT, all packets sent by S to the NAT device or devices
behind it, and following the trafic descriptor of the SA established
will be sent to the peer which has initiated the SA.
This will create a sort of blackhole between S and the NAT device.
Implementators MUST devise ways of preventing such a thing from
occurring; either by disallowing Transport Mode, by applying NAT or
by other means.
Of course, don't forget to correct me if I'm still wrong and note that
I will not allow NAT-T Transport Mode as it is not satisfying for me.
--
Mathieu Lafon - Arkoon Network Security