Block all servers?
Steven M. Bellovin
smb at research.att.com
Tue Oct 14 20:35:56 UTC 2003
In message <3F8C57B5.6F4F2C50 at globalstar.com>, Crist Clark writes:
>
>Kee Hinckley wrote:
>>
>> At 6:30 PM +0200 10/14/03, Stefan Mink wrote:
>> >On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:
>> >> > I use IPSEC and it works fine behind NAT.
>> >>
>> >> Yes, it does work, on a small scale. However what if your neighbor
>> >> wants to IPSEC to the same place (say you work at the same place).
>> >> If both of you are NAT'd from the same IP address trying to IPSEC
>> >> to the same IP address? I don't believe things will work in this
>> >> instance.
>> >
>> >why not? We use it here, works fine (with certificates for auth).
>>
>> From what I've seen it depends on whether the NAT has specific
>> support for IPSEC, and if that support includes support for multiple
>> clients. The NAT box has to keep track of the mapping. I've seen
>> NATs priced based on how many VPN clients they support at a time.
>>
>> See http://www.dslreports.com/faq/4638
>
>Quoting from that,
>
> Some routers permit multiple IPSec connections through NAT by uniquely
> identifying tunnels via the pair of SPI numbers snagged from an IKE
> exchange. These identifying numbers are stored in IPSec NAT table entries
> to allow correct routing of inbound ESP traffic.
>
>Last time I looked, the SPIs are exchanged in an encrypted payload in
>IKE. Am I mistaken? The router would have to mount a successful MIM
>attack to do this.
You're completely correct. NATs can only handle this by heuristics;
they can't handle the situation where more than one host behind it is
communication via IPsec with the same destination.
--Steve Bellovin, http://www.research.att.com/~smb
More information about the NANOG
mailing list