NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005 PRESENTATION • Introduction • NAT • IPsec • Problems • NAT-T • NAT-T solution (s) • Conclusions INTRODUCTION NAT: • NAT is router function that provides the network address translation between private and public IPv4 addresses. • IPv4 address space is limited • Implementations: Static and dynamic NAT changes the source IP address of the packet. INTRODUCTION IPsec: • IPsec is an Internet standard and a security framework for securing the IP layer traffic. • IPsec: • Encapsulated Security Payload (ESP) • Authentication Header (AH) • Modes: Transport, Tunneling • Key functionality: • Confidentiality of data • Authenticity of the sender • Integrity of data • Replay protection IPsec is designed to prevent behavior that NAT is performing for packets. INTRODUCTION • Tunnel mode: • IP header and the payload is encrypted • Protection for the whole packet • Encapsulated with AH/ESP header and additional IP header • IP addresses in outer IP header are the tunnel end points. • Transport mode • Payload is encrypted • Protection of the payload • Located between IP header and transport header (TCP/UDP) • Default mode for IPsec • Used for end-to-end communications INTRODUCTION IKE: • Internet Key Exchange for IPsec • 1st phase: SA and key exchange protocol (ISAKMP) establishes the a secure authenticated channel for further negotiation traffic, and defines the SA used during negotiations. • 2nd phase: SA is negotiated used by IPsec. • Normal IKE traffic is performed over UDP to port 500. • Non-ESP-marker field that allows a recipient to distinguish between UDP encapsulated ESP PDU and an IKE message. • IKE includes new payloads • Vendor ID: hash value (indicates the capability for NAT-T) • NAT-OA (Original Address) Problems: IPsec over NAT 1. AH incompatible with NAT (the whole packet is encrypted, HMAC). 2. NATs cannot update upper-layer checksums 3. IKE UDP port number cannot be changed 4. NATs cannot multiplex IPsec data streams 5. NAT timeout of IKE UDP port mapping can cause problems 6. Identification IKE payload contains IKE embedded IP addresses. NAT-T: UDP encapsulation of IPsec ESP packets • ESP: Only payload is encrypted NAT-T adds a UDP header that encapsulates the ESP header. Functionality: (during initial IPSec negotiation) 1. If peers has NAT-T capability 2. NAT router in the middle of the path between the peers Otherwise normal IPsec operations ENCAPSULATION NAT-T SOLUTIONS 1) A receiving peer gets all required information for verification process of upper- layer checksum (IKE payload: NAT-OA payload). 2) A receiving peer has the original IP address where it can verify the contents of the identification IKE payload during quick mode negotiation. 3) IPsec peers can accept IKE messages from different source port than 500 -> IKE UDP port 4500 is used. 4) NAT router uses the UDP ports for multiplexing of the IPsec data streams. 5) NAT-T introduces keep alive messages. NAT-T PROBLEMS NAT 1 Server • Tunnel mode conflict 10.1.2.3 (Security NAT 2 Gateway) Remote peers may negotiate entries that overlap when tunnel mode is used. 10.1.2.3 • Transport mode conflict May occur when two peers behind NAT routers are in communication with same 10.1.2.3 server. Server may get confused which SA NAT 2 is belonging to which client. Server 10.1.2.4 10.1.2.5 CONCLUSIONS • AH incompatible, ESP can be used. • NAT-T solution uses ESP • UDP/TCP • IPv6 • NAT-T working solution with some problems. • PATH: Client->NAT->Internet->Server • Only supported model • NAT-T supported in SP2, disenabled as default. Thank You!