Internet Engineering Task Force                         Francis Dupont
INTERNET DRAFT                                           ENST Bretagne
Expires in December 2002                                     June 2002


                 Transient pseudo-NAT attacks or
           how NATs are even more evil than you believed

             <draft-dupont-transient-pseudonat-00.txt>



Status of this Memo

   This document is an Internet Draft and is in full conformance with
   all provisions of Section 10 of RFC 2026.

   This document is an Internet-Draft.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its
   areas, and its working groups.  Note that other groups may also
   distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other
   documents at any time.  It is inappropriate to use Internet-
   Drafts as reference material or to cite them other than as
   "work in progress."

   The list of current Internet Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   Distribution of this memo is unlimited.


Abstract

   When a "NAT traversal" capability is added to a class of signaling
   protocols which can control some traffic aggregation points,
   a new attack based on a temporary access to the path followed
   by messages.

   Mobile IP [1] with NAT traversal [5] or IKE [2] with NAT
   traversal [6], including the IKEv2 [7] proposal, are potential
   victims of this kind of attacks.

   This document claims the vulnerability is an intrinsic property
   of the NAT traversal capability, so is a new point where the
   usage of NATs is very damaging.


draft-dupont-transient-pseudonat-00.txt                       [Page 1]


^L
INTERNET-DRAFT        Transient pseudo-NAT attacks           June 2002


1. Introduction

   A Network Address Translator (NAT [8]) is a router which rewrites
   the source address or/and destination address as well as usually
   the transport protocol ports. There are many kinds of NATs [9]
   but in this document a NAT is any device which modifies at least
   one of the IP header addresses (a pseudo-NAT when this is done
   for an attack).

   NAT traversal capability consists in a NAT resilient transport,
   usually UDP, and in address "agility", i.e., addresses in the
   header of packets are taken as they are, especially the source
   address (packets with a fake destination address likely don't
   reach their intended recipient).

   A traffic aggregation point where traffic from many sources and/or
   many destinations are aggregated and sent to the same destination
   and usually from the same source (the traffic aggregation point)
   through a tunnel. Home agents in Mobile IP and security gateways
   in IPsec [3] are typical examples of such traffic aggregation
   points (which are not necessary for the attack but increase its
   impact).


2. The Transient Pseudo-NAT Attack

   An attacker acting as a NAT (i.e., a pseudo-NAT) may:
    - redirect packets to an accomplice
    - make the intended recipient not receive packets to it
      (first form of Denial-of-Service (DoS) attack)
    - flood a third party by the hijacked packets
      (second form of DoS attack, perhaps the most dangerous)
   To perform the attack, the attacker must be on the path of packets
   during the attack.

   When there is a traffic aggregation point, the effects of the
   attack are amplified when the attack is done "at the exit" of
   the aggregation point.

   When a signaling protocol manages the direction followed by the
   traffic, the attacker can only spoof the addresses in headers
   of some messages of the protocol in order to hijack the traffic
   during a long period (i.e., until an error is detected and the
   correct path re-established). As the attacker has to stay on
   the path only a short moment, at the limit only for one packet,
   this attack is named the "transient" pseudo-NAT attack.


draft-dupont-transient-pseudonat-00.txt                       [Page 2]


^L
INTERNET-DRAFT        Transient pseudo-NAT attacks           June 2002


3. Attack Examples

3.1 Mobile IP

   For Mobile IP the traffic aggregation point for choice is the
   home agent and the target signaling protocol is the binding update -
   binding acknowledgment exchange. If the NAT traversal capability
   is enabled, the care-of address of the mobile may not be protected
   therefore may be easily spoofed.

   If no binding acknowledgment is required the attack can be reduced
   to the modification in transit of only one packet so we recommend
   to always require acknowledgment when NAT traversal is enabled
   (as a weak form of return-routability check).


3.2 IKE

   The attack against IKE is worse because IKE is supposed to ensure
   a very high level of security, unfortunately defeated by NAT
   traversal which is the first short-term work item of the IETF
   ipsec working group charter [4]...

   The attack follows the same scheme: addresses in headers of IKE
   exchange messages are spoofed and the traffic, for instance between
   two security gateways, is hijacked.

   Any improvement of the IKE protocol makes the attack easier (a
   very unpleasant property of this attack). For instance if an
   implementation supports an address change between two "phases"
   (something desirable and supported via the SPI of the phase one)
   then to spoof the two or three messages of a quick mode exchange is
   enough, or in IKEv2 only one packet of a CREATE-CHILD-SA exchange.

   Again there is no easy defense which keeps the NAT traversal
   capability. For instance the protection of the header addresses
   (very easy to provide in the IKE framework) is effective against
   both the vulnerability and the NAT traversal capability...


4. Security Considerations

   The Mobile IP NAT traversal new document has a long description
   of this attack [10,5]. We believe the ipsec working group will
   examine in details what features can help mobility or/and NAT
   traversal and what are their consequences for security.

   The architectural implications of NAT document [11] does not
   describe this attack but it can be considered as a result of
   the violation of the end-to-end principle on the trust model.


draft-dupont-transient-pseudonat-00.txt                       [Page 3]


^L
INTERNET-DRAFT        Transient pseudo-NAT attacks           June 2002


5. Acknowledgments

   Maryline Maknavicius-Laurent drew my attention on this attack at
   the IP Cellular Network 2002 conference. Phil Roberts encouraged
   me to point out this attack in the IETF mobileip WG mailing-list
   ASAP. I'd like to thank a well known NAT hater who'd like to stay
   anonymous for his help to write this document.


6. Normative References

   [1] C. Perkins (ed.), "IP Mobility Support for IPv4", RFC 3220,
   January 2002.

   [2] D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)",
   RFC 2409, November 1998.

   [3] S. Kent, R. Atkinson, "Security Architecture for the Internet
   Protocol", RFC 2401, November 1998.

   [4] http://www.ietf.org/html.charters/ipsec-charter.html


7. Informative References

   [5] H. Levkowetz, S. Vaarala, "Mobile IP NAT/NAPT Traversal using
   UDP Tunnelling", draft-ietf-mobileip-nat-traversal-04.txt,
   May 2002.

   [6] A. Huttunen & all, "UDP Encapsulation of IPsec Packets",
   draft-ietf-ipsec-udp-encaps-02.txt, April 2002.

   [7] D. Harkins & all, "Proposal for the IKEv2 Protocol",
   draft-ietf-ipsec-ikev2-02.txt, April 2002.

   [8] K. Egevang, P. Francis, "The IP Network Address Translator
   (NAT)", RFC 1631, May 1994.

   [9] P. Srisuresh, M. Holdrege, "IP Network Address Translator
   (NAT) Terminology and Considerations", RFC 2663, August 1999.

   [10] S. Vaarala, public communication in the mobileip mailing-list,
   <E2EFC3D881823A4CA24022D163D2C4AE2391AB@server.netseal.com>,
   May 2002.

   [11] T. Hain, "Architectural Implications of NAT", RFC 2993,
   November 2000.


draft-dupont-transient-pseudonat-00.txt                       [Page 4]


^L
INTERNET-DRAFT        Transient pseudo-NAT attacks           June 2002


8. Author's Address

   Francis Dupont
   ENST Bretagne
   Campus de Rennes
   2, rue de la Chataigneraie
   BP 78
   35512 Cesson-Sevigne Cedex
   FRANCE
   Fax: +33 2 99 12 70 30
   EMail: Francis.Dupont@enst-bretagne.fr


draft-dupont-transient-pseudonat-00.txt                       [Page 5]

^L
INTERNET-DRAFT        Transient pseudo-NAT attacks           June 2002