North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Block all servers?
In message <[email protected]>, Crist Clark writes: > >Kee Hinckley wrote: >> >> At 6:30 PM +0200 10/14/03, Stefan Mink wrote: >> >On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote: >> >> > I use IPSEC and it works fine behind NAT. >> >> >> >> Yes, it does work, on a small scale. However what if your neighbor >> >> wants to IPSEC to the same place (say you work at the same place). >> >> If both of you are NAT'd from the same IP address trying to IPSEC >> >> to the same IP address? I don't believe things will work in this >> >> instance. >> > >> >why not? We use it here, works fine (with certificates for auth). >> >> From what I've seen it depends on whether the NAT has specific >> support for IPSEC, and if that support includes support for multiple >> clients. The NAT box has to keep track of the mapping. I've seen >> NATs priced based on how many VPN clients they support at a time. >> >> See http://www.dslreports.com/faq/4638 > >Quoting from that, > > Some routers permit multiple IPSec connections through NAT by uniquely > identifying tunnels via the pair of SPI numbers snagged from an IKE > exchange. These identifying numbers are stored in IPSec NAT table entries > to allow correct routing of inbound ESP traffic. > >Last time I looked, the SPIs are exchanged in an encrypted payload in >IKE. Am I mistaken? The router would have to mount a successful MIM >attack to do this. You're completely correct. NATs can only handle this by heuristics; they can't handle the situation where more than one host behind it is communication via IPsec with the same destination. --Steve Bellovin, http://www.research.att.com/~smb
|