[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bidding down attach on NAT-T
Francis,
Francis Dupont <Francis.Dupont@enst-bretagne.fr> writes:
> => I believe you missed the fact I didn't try to make NAT traversal
> secure (I clearly wrote I believe it is near impossible): you are
> in my side, i.e., you consider that NAT traversal has an untrackable
> security issue with attackers which behave like NATs.
While I agree that peers should not use NAT-T if there is no NAT
between them, I do think that NAT-T support should be required.
You never know when there will be a NAT between you and your peer.
Note that you CAN securely detect a NAT (and I consider a pseudo-NAT
to be equivalent to a NAT in this sense) because the IKE messages are
secured. So the only real attack is some router performing NAT on you
-- but that router could just as easily drop your packets too, so I
don't think this is a credible threat.
Personally, I feel that being able to use IPsec through a NAT is more
important than worrying about some router dropping your packets or
trying to re-NAT you.
> Regards
>
> Francis.Dupont@enst-bretagne.fr
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com