[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Clarification of potential NAT multiple client solutions
> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com] On Behalf Of Sami Vaarala
>
> Not everyone uses TCP, so why make assumptions about uset
> traffic that can only turn out to be wrong? IPsec is not TCPsec.
>
These are very vague statements!
You still have not answered my question! What application do you have in
mind?
>
> But isn't this problem magnified here? The attacker here
> needs much less knowledge to mount an attack; it simply
> suffices to forge packets with suitable addresses and any
> bogus SPI, right? The attacker doesn't need the capability
> to modify packets in flight, just being able to inject new
> packets is enough?
>
> If I understood your description correctly, the DoS problem
> (blocking new SAs from being formed) and the bogus SPI
> problem are quite serious. The problems are different and
> less severe with NAT-T.
>
The origin of the problem is identical, and it is the NAT. In one case
you have to send a packet a random SPI within a very short time interval
and in the other case you can send a packet with spoofed source address
_anytime_, but that packet must be based on a real packet. You can argue
all you want as to which one is better/worse. The fact that attack can
be launched anytime in case of NAT-T, makes it much worse in my opinion.
Regards,
Jayant
www.trlokom.com
> -Sami
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better http://health.yahoo.com
>