Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for December 5, 2013
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
FTP with Tcpcrypt vs. NAT
Posted Aug 26, 2010 13:24 UTC (Thu) by djao (subscriber, #4263)
But even when using an authenticated connection, tcpcrypt works with NAT. It accomplishes this feat by not encrypting or authenticating the port numbers. This design allows for some attacks (such as traffic analysis on port numbers), but the tradeoff seems to be worth it. The USENIX paper discusses this issue in some detail.
Posted Aug 26, 2010 13:55 UTC (Thu) by ilmari (subscriber, #14175)
Posted Aug 26, 2010 14:32 UTC (Thu) by djao (subscriber, #4263)
Besides the conference paper, the protocol has been implemented on Windows/Mac/Linux, and the implementation itself is publicly available on the web site under the GPL. The implementation demonstrably works over NAT, and it works with FTP and IRC and DCC and all those other problem cases that you cite. I suggest taking a look at the working implementation rather than arguing about whether or not the software works.
Posted Aug 26, 2010 15:31 UTC (Thu) by bboissin (subscriber, #29506)
some NAT routers modify the TCP *payload* to let active FTP connection work (same for DCC I guess). So if the content is encrypted there's no way for the router to modify the payload.
Posted Aug 26, 2010 15:50 UTC (Thu) by imitev (subscriber, #60045)
Now in the case of NAT, if you want - say - to match RELATED packets with iptables, you need the ftp conntrack helper which will *read* the payload/data for ftp connections (control channel) so that what would be a NEW connection to the data channel on the random port supplied by the ftp server is actually matched by the connection tracking logic, and labelled as RELATED.
Having the headers clear text doesn't help here, you really need to be able to read what's in the payload.
I may be wrong though, it's been a long time I dealt with that stuff.
Posted Aug 26, 2010 16:02 UTC (Thu) by djao (subscriber, #4263)
Posted Aug 26, 2010 17:05 UTC (Thu) by imitev (subscriber, #60045)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds