[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec
Subject:    Re: NAT-Traversal - Security Considerations
From:       mlafon () arkoon ! net
Date:       2002-05-17 18:14:31
[Download RAW message or body]




As I (now) understand it, we must apply NAT to NAT-T packets
using Transport Mode or we create a blackhole between the
Responder and the NAT device.

As it is not obvious (tell me if I'm the only one for who it was
not obvious) and can cause DoS, even with normal use, implementors
should be explicitely warned.

By example :

  Implementors are warned that NAT SHOULD be applied to packets
  received using Transport Mode encapsulation when the sender is
  behind a NAT device.

  Without NAT, all packets sent by S to the NAT device or devices
  behind it, and following the trafic descriptor of the SA established
  will be sent to the peer which has initiated the SA.
  This will create a sort of blackhole between S and the NAT device.

  Implementators MUST devise ways of preventing such a thing from
  occurring; either by disallowing Transport Mode, by applying NAT or
  by other means.


Of course, don't forget to correct me if I'm still wrong and note that
I will not allow NAT-T Transport Mode as it is not satisfying for me.

--
Mathieu Lafon - Arkoon Network Security


[prev in list] [next in list] [prev in thread] [next in thread]