Re: bidding down attach on NAT-T

[Charlie_Kaufman@notesdev.ibm.com]

Michael Richardson <mcr@sandelman.ottawa.on.ca> wrote:
>   The issue is that said attacker can force all transmissions from the
> gateway to the client to go via itself. It does this by pretending to
> be a NAT, and futzing with the source IP/port#. The gateway will use that
> address for the packets it sends.

I would claim that an attacker can only do this if it is on the path
between the two IPsec endpoints. The attacker would have to prevent
delivery of the packet with the original IP address/port # and send a
packet with the same innards but a different source IP/port#. At this
point, I would claim the attacker *is* a NAT, since that's exactly what
NATs do.

>   So, what in the end is the effect of having the IKE/ESP flow sent via
> some malicious third party? Assuming that the third party does not drop
> any packets in the flow, we have:
>      a) additional latency.
>      b) traffic analysis.

But any party on the path between the two IPsec endpoints can do this
anyway - with or without invoking NAT-T.

That's not to say that these threats aren't serious. Just that there is
nothing we could possibly do within IKE or ESP to improve the situation.

What am I missing?

          --Charlie

Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).