[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT-Traversal - Security Considerations

To: ipsec@lists.tislabs.com
Subject: Re: NAT-Traversal - Security Considerations
From: mlafon@arkoon.net
Date: Fri, 17 May 2002 20:14:31 +0200
Sender: owner-ipsec@lists.tislabs.com




As I (now) understand it, we must apply NAT to NAT-T packets
using Transport Mode or we create a blackhole between the
Responder and the NAT device.

As it is not obvious (tell me if I'm the only one for who it was
not obvious) and can cause DoS, even with normal use, implementors
should be explicitely warned.

By example :

  Implementors are warned that NAT SHOULD be applied to packets
  received using Transport Mode encapsulation when the sender is
  behind a NAT device.

  Without NAT, all packets sent by S to the NAT device or devices
  behind it, and following the trafic descriptor of the SA established
  will be sent to the peer which has initiated the SA.
  This will create a sort of blackhole between S and the NAT device.

  Implementators MUST devise ways of preventing such a thing from
  occurring; either by disallowing Transport Mode, by applying NAT or
  by other means.


Of course, don't forget to correct me if I'm still wrong and note that
I will not allow NAT-T Transport Mode as it is not satisfying for me.

--
Mathieu Lafon - Arkoon Network Security

Prev by Date: Re: addresses and IKEv2
Next by Date: Re: addresses and IKEv2
Prev by thread: Re: NAT-Traversal - Security Considerations
Next by thread: SOI schizophrenia
Index(es):
- Date
- Thread