Hi Patrick, It is true that this is one of the primary remaining issues with SPA. The server receiving the packet only sees the public IP of the client. At the moment there isn't a solution to this, as IPv4 doesn't provide any kind of authentication at the network level. Once the server has verified the SPA packet, it can only open the necessary port to <public IP>. It can't distinguish <host1>@<publicIP> from <host2>@<publicIP>. But generally this problem permeates into computer security as a whole. The MITM attacker almost always has supreme power by having the luxury of manipulating traffic until it suits him.
The purpose of SPA is simply to add another layer of security. In 99% of cases you won't have a malicious attacker in a MITM position who is watching all traffic. Remember that defeating SPA only brings you back to square one: authenticating/attacking the original service. For a MITM attacker to take advantage of his situation, if SPA were protecting port 22 of a server for example, he would have to wait for a valid SPA packet to fly by, open a connection to the server, and send an exploit and/or login with a valid username/pass. He definitely won't have enough time for a dictionary or brute force attack of any kind. I haven't researched it much yet, but IPv6 may be able to bring some developments in this area as it offers native authentication. I'd be happy to find a better solution before then ;) Sincerely, Sebastien On Monday, June 01, 2009, at 04:41PM, "patrick koping" <[email protected]> wrote: > >Hello! > >I recently got around to try out fwknop and I must say it's really sweet! > >One question popped up though: > >I can't figure out what one would gain in security against a MITM attack using >the resolving of ones public IP, >if one would be located behind a NAT'ing router? Somewhere in the >documentation, there was a note >about an attacker being on the same private net, but what kind of >configuration would >protect against that (except the obvious with using encrypted communication as >usual). > >As I am testing now, having two servers behind the same NAT firewall, one of >them sends the SPA packet and both >of them can connect openVPN to the receiving openVPN server. Now this is ok >because I want them to be able >to connect, but as I see it, it defeats the whole purpose of fwknop, as I >can't trust the NAT'ed net. > > >Regards >Patrick > >_________________________________________________________________ >Vi vet vem du passar ihop med! Klicka här för att få veta! >http://dejting.se.msn.com/channel/index.aspx?trackingid=1002952 ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
