Re: NAT-Traversal - Security Considerations

Francis Dupont <Francis.Dupont@enst-bretagne.fr> Thu, 16 May 2002 16:57 UTC

Message-Id: <200205161628.g4GGSqT89870@givry.rennes.enst-bretagne.fr>
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
To: mlafon@arkoon.net
cc: ipsec@lists.tislabs.com
Subject: Re: NAT-Traversal - Security Considerations
In-reply-to: Your message of Thu, 16 May 2002 00:59:26 +0200. <C1256BBA.007E4B51.00@arkoon-mail.arkoon.net>
Date: Thu, 16 May 2002 18:28:52 +0200
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

 In your previous mail you wrote:

      Math (M) is behind NAT and establish an SA with Gateway (GW) using a
      specific Trafic Descriptor (TS). Using Tunnel Mode, Math will normally
      use his private IP address but can also used a spoofed one: Server (S)
      or VeryImportantMachine (VIM).
   
=> Math can spoof the address but not the identity so the attack is
a Denial of Service.

      This can be used by a malicious user to steal packets for VIM or to
      deny communication with S.
   
=> first (steal packets) should not be critical because M may not
spoof an identity so may not know keys. Second is a DoS and there is
a third one: redirect the traffic to (i.e. flood) a victim.

      Am I right or am I missing something ?

=> you don't miss something: NAT traversal capability gives to bad guys
on the path all NAT possibilities and they don't need to stay on the
path (so I call this problem the "transient pseudo-NAT attack").

      How GW can decide if Math's IP is valid and is not a spoofed one ?
   
=> it can't. The stupid defense (authentify the IP address) works but
disables the NAT traversal.

Regards

Francis.Dupont@enst-bretagne.fr

Re: NAT-Traversal - Security Considerations mlafon
NAT-Traversal - Security Considerations mlafon
Re: NAT-Traversal - Security Considerations Ari Huttunen
Re: NAT-Traversal - Security Considerations Francis Dupont
Re: NAT-Traversal - Security Considerations Ari Huttunen
Re: NAT-Traversal - Security Considerations mlafon