[Openswan Users] NAT-T in native stack??
Jacco de Leeuw
jacco2 at dds.nl
Tue May 18 23:17:48 CEST 2004
Paul Wouters wrote:
> The issue with USE_NAT_TRAVERSAL_TRANSPORT_MODE is not wether or not it
> was causing problems in the implementation, but that as a feature, it is
> a security risk. Openswan tends to package with all dangerious options
> disabled, leaving them open for the (hopefully somewhat cluefull) user
> to enable. One such example is 1DES. NAT-traversal in transport mode also
> has security implications. That is why it is disabled.
What I understand of it is that Mathieu Lafon (the author of the NAT-T patch
for FreeS/WAN) wrote that _his particular implementation_ had security
implications in Transport Mode.
Now, I don't know if this issue is located in the kernel part or in the
FreeS/WAN userland part. If it is the latter then it's probably prudent
to keep Transport Mode NAT-T disabled by default.
If there is an inherent problem with NAT-T in Transport Mode, then
we should inform Microsoft, SSH, Safenet, Apple et al. :-)
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users