Re: NAT-Traversal - Security Considerations

[mlafon@arkoon.net]

ari.huttunen@f-secure.com wrote

> It would seem to me that the IPsec layer in S needs to apply NAT for
> packets that come via the SA, so they appear to come from address Y.
> The server in S then thinks it's talking with Y. The return packets
> to Y would then be NATed, and put to the SA, all other packets would
> go through without any change. This way the TS doesn't apply to packets
> to/from address 'NAT', but to address 'Y'. This would break if you want
> part of the packets via an SA, and part in plaintext, using TS, because
> server would see different IP addresses for the client, so don't do that.

So what is the prefered usage and why does the current draft does not specify
it ? If we're not applying NAT, how do we deal with the blackhole between
S and WS/NAT when NAT-T SA is established ?

>I had this in draft-huttunen-ipsec-esp-in-udp-00.txt:
>>
>>    It is not possible for a hacker to obtain an arbitrary address in the
>>    intranet being protected by the GW. If address assignment by the GW
>>    is provided, only the address assigned to the hacker is allowed to pass
>>    through the GW. In the other case, address is always assigned to
>>    the hacker internally by the GW and the (arbitrary) IP address of the
>>    hacker is always translated by a NAT functionality in the GW.
>
> Perhaps I should have copied it to this current draft? Is it clear?

I don't get the point. If you do not use address assignment, it is the user
who chooses his address depending on the network he is on (hotel, airport, home,
...), so you can't control which IP he chooses.

When we're not using NAT-Traversal, we can be strict and not allow him to use
another IP than his external IP or a fixed address/network. But with NAT-T,
we can't be that strict, can we ?

Or is address assignment mandatory with NAT-Traversal ?

--
Mathieu Lafon - Arkoon Network Security