[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec and Mobile IPv6
In your previous mail you wrote:
My three sentence summary is:
1. NATs are devices in the path.
2. Any device in the path can perform a DoS attack or change IP addresses.
3. A number of protocols have been made NAT-friendly by removing the
IP source address (and/or port) from within the protection, leaving those
protocols open to "pseudo-NATs".
=> yes, the attack is the price to pay for the basic "NAT-traversal" feature.
As much as I dislike NAT ....
=> I not only dislike them but I work in an environment without NATs 95%
of the time.
I guess I'm just not very convinced this is a serious issue.
=> I found this issue during a presentation of the NAT-traversal feature
of Mobile IP(v4). I jumped on my laptop to signal it to the draft authors
and they agree this is a serious issue so they updated their draft with
a far larger "security consideration" section. The fact the same issue
stands for IKE which is a security protocol IMHO is even more serious:
I can't see why I have to pay such a price for a feature I don't use.
Another argument: the address agility section is too vague about the
properties of the addresses IKEv2 runs over. This must be cleanup and
there is an opportunity to make it better: fulfill NAT-traversal,
mobility and multi-homing requirements in the most secure ways for each.
Regards
Francis.Dupont@enst-bretagne.fr