[64035] in North American Network Operators' Group
Re: Block all servers?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Oct 14 16:36:33 2003
From: "Steven M. Bellovin" <smb@research.att.com>
To: crist.clark@globalstar.com
Cc: Kee Hinckley <nazgul@somewhere.com>,
Stefan Mink <mink@schlund.net>, nanog@merit.edu
In-Reply-To: Your message of "Tue, 14 Oct 2003 13:08:21 PDT."
<3F8C57B5.6F4F2C50@globalstar.com>
Date: Tue, 14 Oct 2003 16:35:56 -0400
Errors-To: owner-nanog-outgoing@merit.edu
In message <3F8C57B5.6F4F2C50@globalstar.com>, Crist Clark writes:
>
>Kee Hinckley wrote:
>>
>> At 6:30 PM +0200 10/14/03, Stefan Mink wrote:
>> >On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:
>> >> > I use IPSEC and it works fine behind NAT.
>> >>
>> >> Yes, it does work, on a small scale. However what if your neighbor
>> >> wants to IPSEC to the same place (say you work at the same place).
>> >> If both of you are NAT'd from the same IP address trying to IPSEC
>> >> to the same IP address? I don't believe things will work in this
>> >> instance.
>> >
>> >why not? We use it here, works fine (with certificates for auth).
>>
>> From what I've seen it depends on whether the NAT has specific
>> support for IPSEC, and if that support includes support for multiple
>> clients. The NAT box has to keep track of the mapping. I've seen
>> NATs priced based on how many VPN clients they support at a time.
>>
>> See http://www.dslreports.com/faq/4638
>
>Quoting from that,
>
> Some routers permit multiple IPSec connections through NAT by uniquely
> identifying tunnels via the pair of SPI numbers snagged from an IKE
> exchange. These identifying numbers are stored in IPSec NAT table entries
> to allow correct routing of inbound ESP traffic.
>
>Last time I looked, the SPIs are exchanged in an encrypted payload in
>IKE. Am I mistaken? The router would have to mount a successful MIM
>attack to do this.
You're completely correct. NATs can only handle this by heuristics;
they can't handle the situation where more than one host behind it is
communication via IPsec with the same destination.
--Steve Bellovin, http://www.research.att.com/~smb
