Raj Singh writes: > 1. Initiator is behind N(P)AT and float the port to (4500, 4500) > > and send IKE_AUTH with source port 4500 now N(P)AT changes source port > as 1024 but there is a man-in-the-middle who changes the port to other > host behind N(P)AT's port say 1025, still IKE_AUTH packet is authenticated. > > The responder establishes the SA with destination port as 1025 instead of > 1024 and sends the reply back to destination port 1025, so it will never > reach to original initiator . So the IKE SA will does not get established > on initiator But there is no mention of this DoS attack in the draft > ?
When the initiator does not get packets, it will retrasnmit its packet and if the man-in-the-middle attacker is no longer there it will reach the other end and has source port of 1024. This will then be authenticated retransmission packet for the other end which will then retransmit its previous packet to the address where port numbers were swapped. As the packet was not new packet it will not update the SA, but next packet from the responder will cause it to update the port numbers. If the man-in-the-middle is still there then the attack is still ongoing and he can prevent communications between two peers. He does not even need to modify the ports, he can simply delete those packets... > 2. The draft says the host that is NOT behind NAT SHOULD send packet to > IP address and port from which it received last authenticated packet. > A host behind behind a NAT SHOULD NOT do this because it opens a > DoS attack. Yes. > But how the location of host(Behind NAT or NOT) avoid DoS attack, say > when responder is having public IP, send an UDP encapsulated packet, some > man-in-the-middle changes the port, then initiator which is behind NAT wil > use ports from packet and will never reach the responder. This is also a > DoS attack. > Please let me how location of host (behind NAT or not) helps in avoiding > DoS attack ? If we take the most common case where the initiator / client is behind NAT and responder/server is not behind the NAT. Now the responder/server has fixed IP address which will NOT change. Thus if host which knows that other end is not behind NAT (i.e. initiator / client in this case) does not update IP-addresses at all, as it knows the other end has fixed IP-address the attacker cannot force both ends to change addresses at the same time. If client would take any packet and change other ends address to be as claimed in the headers then attacker could simply send one packet that would change client's view where the server is, and as the client is behind NAT his old NAT mapping would get destroyed after a time, and after that server cannot communicate to the client anymore at all. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
