[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Clarification of potential NAT multiple client solutions

To: Jayant Shukla <jshukla@trlokom.com>, silvere@iki.fi, "'William Dixon'" <wdixon@windows.microsoft.com>, "'Brian Swander'" <briansw@windows.microsoft.com>, ipsec@lists.tislabs.com
Subject: RE: Clarification of potential NAT multiple client solutions
From: Sami Vaarala <svaarala@yahoo.com>
Date: Mon, 5 Aug 2002 01:07:55 -0700 (PDT)
In-Reply-To: <000001c23c38$41d0e700$0402a8c0@trlhpc1>
Reply-To: silvere@iki.fi
Sender: owner-ipsec@lists.tislabs.com

Hi,

--- Jayant Shukla <jshukla@trlokom.com> wrote:
>[snip]
> >  2. there is inbound traffic but it takes a long time before
> > it starts?
> 	You do realize that this question is almost identical to #1?
> 
> 	What do you mean by long time? 1 second? 10 seconds? 30 seconds?
> If the reply takes too long, your TCP session will time out. IPsec
> pass-thru has a big enough time (about 1 min., but I am not certain)
> window to ensure that inbound traffic does arrive. 

Not everyone uses TCP, so why make assumptions about uset traffic that can
only turn out to be wrong?  IPsec is not TCPsec.

If the timeout is 1 minute, does this really mean that if I simply don't get
a response packet (= the target doesn't have anything bound to the port and
will either not send keepalives or its security policy requires another SA
for the ICMP), *all* other hosts will be blocked from setting up connections
for an entire minute?

> >  3. an attacker spoofs an IPsec packet with all fields 
> > otherwise as the
> >     NAT expects, but with a bogus SPI?  (This packet would of 
> > course have
> >     to arrive before any proper response packet would reach the NAT.)
> > 
> 
> 	This is interesting! Anytime you let NATs or any intermediate
> entity modify or route your packets, you have a potential DoS problem. I
> am sure you are familiar with a similar issue in NAT-T. Someone even
> wrote a draft about it. 

But isn't this problem magnified here?  The attacker here needs much less
knowledge to mount an attack; it simply suffices to forge packets with suitable
addresses and any bogus SPI, right?  The attacker doesn't need the capability
to modify packets in flight, just being able to inject new packets is enough?

If I understood your description correctly, the DoS problem (blocking new SAs
from being formed) and the bogus SPI problem are quite serious.  The problems
are different and less severe with NAT-T.

-Sami

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

Follow-Ups:
- RE: Clarification of potential NAT multiple client solutions
  - From: "Jayant Shukla" <jshukla@trlokom.com>

References:
- RE: Clarification of potential NAT multiple client solutions
  - From: "Jayant Shukla" <jshukla@trlokom.com>

Prev by Date: RE: Clarification of potential NAT multiple client solutions
Next by Date: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Prev by thread: RE: Clarification of potential NAT multiple client solutions
Next by thread: RE: Clarification of potential NAT multiple client solutions
Index(es):
- Date
- Thread