[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Clarification of potential NAT multiple client solutions
Hi,
> > Given #2, this
> > means they may only support 1 IPsec client behind the NAT, or
> > they have to inhibit a new outbound IKE Main Mode SA (with
> > responder cookie = 0 specifically) until they see an inbound
> > ESP SPI they don't recognize.
>
> This is not true! You do realize that IKE sessions can be
> demultiplexed based on cookies?
>
> For IPsec messages, all the NAT gateway has to do is to allow
> the first outbound IPsec packet and inhibit new outbound IPsec
> connections until the first host to start an IPsec connection
> receives a reply.
>[snip]
Just out of curiosity, could you explain what happens if:
1. there is no inbound traffic at all (i.e. a unidirectional protocol)?
2. there is inbound traffic but it takes a long time before it starts?
3. an attacker spoofs an IPsec packet with all fields otherwise as the
NAT expects, but with a bogus SPI? (This packet would of course have
to arrive before any proper response packet would reach the NAT.)
Best regards,
-Sami
--
Sami Vaarala
Senior System Architect
Netseal
__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com