Re: bidding down attach on NAT-T

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Jayant" == Jayant Shukla <jshukla@earthlink.net> writes:
    mcr> The thing that we could do, is require some kind of three way
    mcr> handshake to change the UDP port #/IP address. That could be a
    mcr> rekey.

  
    Jayant> We had this discussion a few days ago. This is the exact method
    Jayant> we are using in our NAT traversal. However, this method too is
    Jayant> not perfect as an attacker can falsly convince you to keep doing
    Jayant> three-way handshakes. Not a big problem, and can be solved by

  As I said in another message, if you include this as part of the dead-peer
detection, then it should work fine. The trick is not doing both at the same
time. I haven't looked at all at the DPD stuff, so I don't know.
  The other thing is making sure that the client can somehow become aware
that something may be trying to spoof it.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPmaMkoqHRg3pndX9AQGQSwQA66vFrvsO6TYrl7/dr3xvMBoYhgRiLrqH
XQpP3YO875mXywvBKfIbamUIF8US0YfJnE4dk/vOjKbfbcPzLYNF5GIvj33wYdnM
AWnacjCqUJFVlCpLEZtynDjSX3ifVBQuz2znkAr09J+BEyeLPWTImrjOOnI4lS8D
HWoQ9gQDBnA=
=X5xW
-----END PGP SIGNATURE-----