[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: bidding down attach on NAT-T

To: mcr@sandelman.ottawa.on.ca, ipsec@lists.tislabs.com
Subject: Re: Re: bidding down attach on NAT-T
From: Jayant Shukla <jshukla@earthlink.net>
Date: Wed, 5 Mar 2003 10:57:14 -0800 (PST)
Reply-To: jshukla@trlokom.com
Sender: owner-ipsec@lists.tislabs.com

-------Original Message-------
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
    Charlie> there is nothing we could possibly do within IKE or ESP to
    Charlie> improve the situation.

  The thing that we could do, is require some kind of three way handshake
to
change the UDP port #/IP address. That could be a rekey.

  
We had this discussion a few days ago. This is the exact method we are using in our NAT traversal. However, this method too is not perfect as an attacker can falsly convince you to keep doing three-way handshakes. Not a big problem, and can be solved by rate limiting the three-way handshakes, but an annoynace none the less.

Regards,
Jayant
www.trlokom.com

Follow-Ups:
- Re: bidding down attach on NAT-T
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: The CR payload still
Next by Date: Re: The CR payload still
Prev by thread: I-D ACTION:draft-ietf-ipsec-ciph-aes-xcbc-mac-03.txt
Next by thread: Re: bidding down attach on NAT-T
Index(es):
- Date
- Thread