| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20090122094150.GB14491@gondor.apana.org.au>
Date: Thu, 22 Jan 2009 20:41:50 +1100
From: Herbert Xu <herbert@...dor.apana.org.au>
To: Timo Teräs <timo.teras@....fi>
Cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [PATCH] af_key: parse and send SADB_X_EXT_NAT_T_OA extension
On Thu, Jan 22, 2009 at 11:24:41AM +0200, Timo Teräs wrote:
>
> In DMVPN/GRE case, the NAT-OA from IPsec would not be used
> unless the NAT-OA is set on neighbour cache. This would not
> happen unless NHRP can authenticate it. In DMVPN case you need
> a valid certificate to give the ranom NAT-OA in any case. So
> if you lie about your NAT-OA I can just revoke you.
I don't see how NHRP authentication would help if the attacker
takes over someone else's address and causes packets for the
third party to go to it.
As to revoking the attacker's access, that's like saying "I'll
run an open telnet port but if you try to sniff my psasword I'll
revoke your access" :)
> Or do you have, other recommendations how to distinguish peers
> behind same public IP than NAT-OA? Maybe we add the certificate
> subject to xfrm state and neighbour cache. And use that?
Yes I think that is a much better solution for this.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists