[Openswan Users] NAT-T in native stack??

Jacco de Leeuw jacco2 at dds.nl
Tue May 18 23:17:48 CEST 2004

Paul Wouters wrote:

> The issue with USE_NAT_TRAVERSAL_TRANSPORT_MODE is not wether or not it
> was causing problems in the implementation, but that as a feature, it is
> a security risk. Openswan tends to package with all dangerious options
> disabled, leaving them open for the (hopefully somewhat cluefull) user
> to enable. One such example is 1DES. NAT-traversal in transport mode also
> has security implications. That is why it is disabled.

What I understand of it is that Mathieu Lafon (the author of the NAT-T patch
for FreeS/WAN) wrote that _his particular implementation_ had security
implications in Transport Mode.

Now, I don't know if this issue is located in the kernel part or in the
FreeS/WAN userland part. If it is the latter then it's probably prudent
to keep Transport Mode NAT-T disabled by default.

If there is an inherent problem with NAT-T in Transport Mode, then
we should inform Microsoft, SSH, Safenet, Apple et al. :-)

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list