Re: IPsec and Mobile IPv6

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

     My three sentence summary is:
   
   1. NATs are devices in the path.
   2. Any device in the path can perform a DoS attack or change IP addresses.
   3. A number of protocols have been made NAT-friendly by removing the 
      IP source address (and/or port) from within the protection, leaving those
      protocols open to "pseudo-NATs".
   
=> yes, the attack is the price to pay for the basic "NAT-traversal" feature.

     As much as I dislike NAT ....

=> I not only dislike them but I work in an environment without NATs 95%
of the time.

   I guess I'm just not very convinced this is a serious issue. 
   
=> I found this issue during a presentation of the NAT-traversal feature
of Mobile IP(v4). I jumped on my laptop to signal it to the draft authors
and they agree this is a serious issue so they updated their draft with
a far larger "security consideration" section. The fact the same issue
stands for IKE which is a security protocol IMHO is even more serious:
I can't see why I have to pay such a price for a feature I don't use.
 Another argument: the address agility section is too vague about the
properties of the addresses IKEv2 runs over. This must be cleanup and
there is an opportunity to make it better: fulfill NAT-traversal,
mobility and multi-homing requirements in the most secure ways for each.

Regards

Francis.Dupont@enst-bretagne.fr