Hi Group,
I have question regarding security considerations with NAT-T scenario in
IKEv2.
According to ikev2-bis-04, section 2.23
---------------------------------------------------------------
There are cases where a NAT box decides to remove mappings that
are still alive (for example, the keepalive interval is too long,
or the NAT box is rebooted). To recover in these cases, hosts
that do not support other methods of recovery such as MOBIKE
[MOBIKE
<http://tools.ietf.org/html/draft-ietf-ipsecme-ikev2bis-04#ref-MOBIKE>],
and that are not behind a NAT, SHOULD send all packets
(including retransmission packets) to the IP address and port from
the last valid authenticated packet from the other end (that is,
they should dynamically update the address). A host behind a NAT
SHOULD NOT do this because it opens a possible denial-of-service
attack. Any authenticated IKE packet or any authenticated UDP-
encapsulated ESP packet can be used to detect that the IP address
or the port has changed. When IKEv2 is used with MOBIKE,
dynamically updating the addresses described above interferes with
MOBIKE's way of recovering from the same situation, so this method
MUST NOT be used when MOBIKE is used. See Section 3.8
<http://tools.ietf.org/html/draft-ietf-ipsecme-ikev2bis-04#section-3.8>
of [MOBIKE
<http://tools.ietf.org/html/draft-ietf-ipsecme-ikev2bis-04#ref-MOBIKE>]
for more information.
----------------------------------------------------------------------------------------------------------
1. Initiator is behind N(P)AT and float the port to (4500, 4500)
and send IKE_AUTH with source port 4500 now N(P)AT changes source port
as 1024 but there is a man-in-the-middle who changes the port to other
host behind N(P)AT's port say 1025, still IKE_AUTH packet is authenticated.
The responder establishes the SA with destination port as 1025 instead of
1024 and sends the reply back to destination port 1025, so it will never
reach to original initiator . So the IKE SA will does not get established
on initiator But there is no mention of this DoS attack in the draft ?
2. The draft says the host that is NOT behind NAT SHOULD send packet to
IP address and port from which it received last authenticated packet.
A host behind behind a NAT SHOULD NOT do this because it opens a
DoS attack.
But how the location of host(Behind NAT or NOT) avoid DoS attack, say
when responder is having public IP, send an UDP encapsulated packet, some
man-in-the-middle changes the port, then initiator which is behind NAT wil
use ports from packet and will never reach the responder. This is also a
DoS attack.
Please let me how location of host (behind NAT or not) helps in avoiding
DoS attack ?
Thanks & Regards,
Raj
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
