Hi Tero,
On Thu, Jul 30, 2009 at 2:16 PM, Tero Kivinen <kivi...@iki.fi> wrote: > Raj Singh writes: > > 1. Initiator is behind N(P)AT and float the port to (4500, 4500) > > > > and send IKE_AUTH with source port 4500 now N(P)AT changes source port > > as 1024 but there is a man-in-the-middle who changes the port to other > > host behind N(P)AT's port say 1025, still IKE_AUTH packet is > authenticated. > > > > The responder establishes the SA with destination port as 1025 instead of > > 1024 and sends the reply back to destination port 1025, so it will never > > reach to original initiator . So the IKE SA will does not get established > > on initiator But there is no mention of this DoS attack in the draft > > ? > > When the initiator does not get packets, it will retrasnmit its packet > and if the man-in-the-middle attacker is no longer there it will reach > the other end and has source port of 1024. This will then be > authenticated retransmission packet for the other end which will then > retransmit its previous packet to the address where port numbers were > swapped. As the packet was not new packet it will not update the SA, > but next packet from the responder will cause it to update the port > numbers. > > If the man-in-the-middle is still there then the attack is still > ongoing and he can prevent communications between two peers. He does > not even need to modify the ports, he can simply delete those > packets... > Agree. But draft does NOT mention about this DoS attack in security considerations. We'll have a mention of it in draft as the parent SA itself will come UP with wrong ports. > > > 2. The draft says the host that is NOT behind NAT SHOULD send packet to > > IP address and port from which it received last authenticated packet. > > A host behind behind a NAT SHOULD NOT do this because it opens a > > DoS attack. > > Yes. > > > But how the location of host(Behind NAT or NOT) avoid DoS attack, say > > when responder is having public IP, send an UDP encapsulated packet, some > > man-in-the-middle changes the port, then initiator which is behind NAT > wil > > use ports from packet and will never reach the responder. This is also a > > DoS attack. > > Please let me how location of host (behind NAT or not) helps in avoiding > > DoS attack ? > > If we take the most common case where the initiator / client is behind > NAT and responder/server is not behind the NAT. Now the > responder/server has fixed IP address which will NOT change. Thus if > host which knows that other end is not behind NAT (i.e. initiator / > client in this case) does not update IP-addresses at all, as it knows > the other end has fixed IP-address the attacker cannot force both ends > to change addresses at the same time. If client would take any packet > and change other ends address to be as claimed in the headers then > attacker could simply send one packet that would change client's view > where the server is, and as the client is behind NAT his old NAT > mapping would get destroyed after a time, and after that server cannot > communicate to the client anymore at all. > -- > kivi...@iki.fi > Thanks and Regards, Raj
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
