Re: Block all servers?

["Steven M. Bellovin" <smb () research att com>]

In message <3F8C57B5.6F4F2C50 () globalstar com>, Crist Clark writes:
> Kee Hinckley wrote:
> > At 6:30 PM +0200 10/14/03, Stefan Mink wrote:
> > > On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:
> > > >  > I use IPSEC and it works fine behind NAT.
> > > >
> > > >  Yes, it does work, on a small scale.  However what if your neighbor
> > > >  wants to IPSEC to the same place (say you work at the same place).
> > > >  If both of you are NAT'd from the same IP address trying to IPSEC
> > > >  to the same IP address?  I don't believe things will work in this
> > > >  instance.
> > >
> > > why not? We use it here, works fine (with certificates for auth).
> >
> >  From what I've seen it depends on whether the NAT has specific
> > support for IPSEC, and if that support includes support for multiple
> > clients.  The NAT box has to keep track of the mapping.  I've seen
> > NATs priced based on how many VPN clients they support at a time.
> >
> > See http://www.dslreports.com/faq/4638
>
> Quoting from that,
>
>  Some routers permit multiple IPSec connections through NAT by uniquely
>  identifying tunnels via the pair of SPI numbers snagged from an IKE
>  exchange. These identifying numbers are stored in IPSec NAT table entries
>  to allow correct routing of inbound ESP traffic.
>
> Last time I looked, the SPIs are exchanged in an encrypted payload in
> IKE. Am I mistaken? The router would have to mount a successful MIM 
> attack to do this.

You're completely correct.  NATs can only handle this by heuristics; 
they can't handle the situation where more than one host behind it is 
communication via IPsec with the same destination.


                --Steve Bellovin, http://www.research.att.com/~smb