RE: Clarification of potential NAT multiple client solutions

["Jayant Shukla" <jshukla@trlokom.com>]

> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com 
> [mailto:owner-ipsec@lists.tislabs.com] On Behalf Of Sami Vaarala
> 
> Not everyone uses TCP, so why make assumptions about uset 
> traffic that can only turn out to be wrong?  IPsec is not TCPsec.
> 

These are very vague statements!

You still have not answered my question! What application do you have in
mind?

> 
> But isn't this problem magnified here?  The attacker here 
> needs much less knowledge to mount an attack; it simply 
> suffices to forge packets with suitable addresses and any 
> bogus SPI, right?  The attacker doesn't need the capability 
> to modify packets in flight, just being able to inject new 
> packets is enough?
> 
> If I understood your description correctly, the DoS problem 
> (blocking new SAs from being formed) and the bogus SPI 
> problem are quite serious.  The problems are different and 
> less severe with NAT-T.
> 

The origin of the problem is identical, and it is the NAT. In one case
you have to send a packet a random SPI within a very short time interval
and in the other case you can send a packet with spoofed source address
_anytime_, but that packet must be based on a real packet. You can argue
all you want as to which one is better/worse. The fact that attack can
be launched anytime in case of NAT-T, makes it much worse in my opinion.


Regards,
Jayant
www.trlokom.com

> -Sami
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better http://health.yahoo.com
>