[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Clarification of potential NAT multiple client solutions

To: <silvere@iki.fi>, "'William Dixon'" <wdixon@windows.microsoft.com>, "'Brian Swander'" <briansw@windows.microsoft.com>, <ipsec@lists.tislabs.com>
Subject: RE: Clarification of potential NAT multiple client solutions
From: "Jayant Shukla" <jshukla@trlokom.com>
Date: Sun, 4 Aug 2002 21:26:23 -0700
Importance: Normal
In-Reply-To: <20020802125524.37705.qmail@web12205.mail.yahoo.com>
Sender: owner-ipsec@lists.tislabs.com


> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com 
> [mailto:owner-ipsec@lists.tislabs.com] On Behalf Of Sami Vaarala
> 
> Just out of curiosity, could you explain what happens if:
> 
>  1. there is no inbound traffic at all (i.e. a unidirectional 
> protocol)?
>

	You have TCP/UDP/ICMP. In case of TCP you get bidirectional
traffic, hence no problem there. You also won't be sending ICMP messages
right after IKE, unless your intentions are not very good. That leaves
UDP. So, right after IKE, you start sending vast amounts of UDP
packets?! Sounds very fishy to me. 

	BTW, what application do you have in mind?
 
>  2. there is inbound traffic but it takes a long time before
> it starts?
> 

	You do realize that this question is almost identical to #1?

	What do you mean by long time? 1 second? 10 seconds? 30 seconds?
If the reply takes too long, your TCP session will time out. IPsec
pass-thru has a big enough time (about 1 min., but I am not certain)
window to ensure that inbound traffic does arrive. 

>  3. an attacker spoofs an IPsec packet with all fields 
> otherwise as the
>     NAT expects, but with a bogus SPI?  (This packet would of 
> course have
>     to arrive before any proper response packet would reach the NAT.)
> 

	This is interesting! Anytime you let NATs or any intermediate
entity modify or route your packets, you have a potential DoS problem. I
am sure you are familiar with a similar issue in NAT-T. Someone even
wrote a draft about it. 

	The attack on IPsec pass-thru as described by you has a very
short time window where you can launch the attack. For NAT-T, you can
launch the attack anytime.

	If the NAT-T people ever do figure out a proper solution, they
most likely will face IPR issues as we have couple of patents pending to
solve that problem.

	Anyway, the bottom line is that NAT-T has no advantages over a
simple existing solution (IPsec pass-thru) that is widely deployed. In
fact, it seems to be worse off that IPsec pass-thru. 
	
Regards,
Jayant
www.trlokom.com

> --
> Sami Vaarala
> Senior System Architect
> Netseal
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better http://health.yahoo.com
>

Follow-Ups:
- RE: Clarification of potential NAT multiple client solutions
  - From: Sami Vaarala <svaarala@yahoo.com>

References:
- RE: Clarification of potential NAT multiple client solutions
  - From: Sami Vaarala <svaarala@yahoo.com>

Prev by Date: RE: Clarification of potential NAT multiple client solutions
Next by Date: RE: Clarification of potential NAT multiple client solutions
Prev by thread: RE: Clarification of potential NAT multiple client solutions
Next by thread: RE: Clarification of potential NAT multiple client solutions
Index(es):
- Date
- Thread