Re: NAT-Traversal - Security Considerations

[Ari Huttunen <Ari.Huttunen@f-secure.com>]

mlafon@arkoon.net wrote:
> 
> ari.huttunen@f-secure.com wrote
> 
> > It would seem to me that the IPsec layer in S needs to apply NAT for
> > packets that come via the SA, so they appear to come from address Y.
> > The server in S then thinks it's talking with Y. The return packets
> > to Y would then be NATed, and put to the SA, all other packets would
> > go through without any change. This way the TS doesn't apply to packets
> > to/from address 'NAT', but to address 'Y'. This would break if you want
> > part of the packets via an SA, and part in plaintext, using TS, because
> > server would see different IP addresses for the client, so don't do that.
> 
> So what is the prefered usage and why does the current draft does not specify
> it ? If we're not applying NAT, how do we deal with the blackhole between
> S and WS/NAT when NAT-T SA is established ?

The draft is a specification for a protocol, not an implementation guidebook
in how the protocol is to be implemented. Some not-so-obvious security related
issues are mentioned explicitly to guide implementations, but other than that
you're left on your own to implement it. 

> 
> >I had this in draft-huttunen-ipsec-esp-in-udp-00.txt:
> >>
> >>    It is not possible for a hacker to obtain an arbitrary address in the
> >>    intranet being protected by the GW. If address assignment by the GW
> >>    is provided, only the address assigned to the hacker is allowed to pass
> >>    through the GW. In the other case, address is always assigned to
> >>    the hacker internally by the GW and the (arbitrary) IP address of the
> >>    hacker is always translated by a NAT functionality in the GW.
> >
> > Perhaps I should have copied it to this current draft? Is it clear?
> 
> I don't get the point. If you do not use address assignment, it is the user
> who chooses his address depending on the network he is on (hotel, airport, home,
> ...), so you can't control which IP he chooses.

OK. Good that I didn't copy it. :)

> 
> When we're not using NAT-Traversal, we can be strict and not allow him to use
> another IP than his external IP or a fixed address/network. But with NAT-T,
> we can't be that strict, can we ?
> 
> Or is address assignment mandatory with NAT-Traversal ?

Both transport and tunnel mode can be implemented with a NAT in the IPsec
layer, and tunnel mode can additionally be implemented with address
assignment (DHCP/modeconfig). You may be able to do without them in some
situations. You can look at it like NAT-Traversal ignoring the effects of
any NATs en-route. Still, if addresses need NATing, something must do it,
and that something is likely your IPsec stack.

Ari

-- 
"They that can give up essential liberty to obtain a little 
temporary safety deserve neither liberty nor safety." - Benjamin Franklin

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F(ully)-Secure products: Securing the Mobile Enterprise