[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bidding down attach on NAT-T
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Jayant" == Jayant Shukla <jshukla@earthlink.net> writes:
mcr> The thing that we could do, is require some kind of three way
mcr> handshake to change the UDP port #/IP address. That could be a
mcr> rekey.
Jayant> We had this discussion a few days ago. This is the exact method
Jayant> we are using in our NAT traversal. However, this method too is
Jayant> not perfect as an attacker can falsly convince you to keep doing
Jayant> three-way handshakes. Not a big problem, and can be solved by
As I said in another message, if you include this as part of the dead-peer
detection, then it should work fine. The trick is not doing both at the same
time. I haven't looked at all at the DPD stuff, so I don't know.
The other thing is making sure that the client can somehow become aware
that something may be trying to spoof it.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPmaMkoqHRg3pndX9AQGQSwQA66vFrvsO6TYrl7/dr3xvMBoYhgRiLrqH
XQpP3YO875mXywvBKfIbamUIF8US0YfJnE4dk/vOjKbfbcPzLYNF5GIvj33wYdnM
AWnacjCqUJFVlCpLEZtynDjSX3ifVBQuz2znkAr09J+BEyeLPWTImrjOOnI4lS8D
HWoQ9gQDBnA=
=X5xW
-----END PGP SIGNATURE-----