Re: NAT Traversal - Recovering from the expiring NAT mappings
Tero Kivinen <kivinen@ssh.fi> Wed, 15 May 2002 13:51 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g4FDpEL22820; Wed, 15 May 2002 06:51:15 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id JAA04154 Wed, 15 May 2002 09:08:18 -0400 (EDT)
X-Authentication-Warning: ryijy.hel.fi.ssh.com: kivinen set sender to <kivinen@ssh.fi> using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <15586.24743.99153.268748@ryijy.hel.fi.ssh.com>
Date: Wed, 15 May 2002 16:20:39 +0300
From: Tero Kivinen <kivinen@ssh.fi>
To: michaell@servgate.com
CC: ipsec@lists.tislabs.com
Subject: Re: NAT Traversal - Recovering from the expiring NAT mappings
References: <605C42246151B7498423278ED555306F04C05A@skat.sky.com>
X-Mailer: VM 6.89 under Emacs 20.7.1
Organization: SSH Communications Security Oy
X-Edit-Time: 8 min
X-Total-Time: 7 min
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
michaell@servgate.com (michael lin) writes: > In draft-ietf-ipsec-nat-ike-02.txt, it said > > There are cases where NAT box decides to remove mappings that are still > alive (for example, the keepalive interval is too long, or the NAT box is > rebooted). To recover from those ends which are NOT behind NAT SHOULD use > the last valid authenticated packet from the other end to determine which IP > and port addresses the should be used. The host behind dynamic NAT MUST NOT > do this as otherwise it opens DoS attack possibility, and there is no need > for that, because the IP address or port of other host will not change (it > is not behind NAT). > > I cannot fully understand. Suppose following: > > A --- NAT --- Internat --- B > > 1.1.1.1 port x -----> > 1.1.1.1 port x -----> > 1.1.1.1 port x -----> (LAST packet) > > reboot > > 1.1.1.2 port y -----> (NEXT packet) This packet is received by the host B, and authenticated, and then it is processed normally. Note, that for incoming case we do not care the source IP. After the authentication check it will become the LAST authenticated packet received. > If the NEXT packet (source IP 1.1.1.2 and port y) passes the authentication > check, B will know the A's IP and port have been changed, right? Yes. And after that whenever it is sending packets back it needs to use the source address of the last authenticated packet received from the other as a destination address where to send the packets. > But in the draft, it said "the LAST valid authenticated packet". > What does it mean? Why is it NEXT packet, but LAST packet? Because this is needed for sending the replies back, thus we use the last authenticated packet in. The on transit incoming packet does not matter, if we haven't yet seen and authenticated it, and once we have received and authenticated it, then it is the last packet. > And since the source IP and port could be changed, does it mean B don't need > to check source IP and port? If the packet passes authentication check, the > packet is coming from the right source. Yes, B does not check the source IP and port, only the destination IP and port matters and then we do normal authentication checks, but to send replies back to the proper A we need the destination address and port for the A, and those MUST be taken from the last authenticated packet received from the A. -- kivinen@ssh.fi SSH Communications Security http://www.ssh.fi/ SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
- NAT Traversal - Recovering from the expiring NAT … michael lin
- Re: NAT Traversal - Recovering from the expiring … Tero Kivinen