ppt - TML

Document Sample
ppt - TML Powered By Docstoc
					 NAT TRAVERSAL FOR IPSEC



Research Seminar on Datacommunications Software
                     HIIT
                  09.11.2005
PRESENTATION


• Introduction
    • NAT
    • IPsec
• Problems
• NAT-T
    • NAT-T solution (s)
• Conclusions
INTRODUCTION

NAT:
• NAT is router function that provides the network address translation between
  private and public IPv4 addresses.
    • IPv4 address space is limited


• Implementations: Static and dynamic


NAT changes the source IP address of the packet.
INTRODUCTION
IPsec:
• IPsec is an Internet standard and a security framework for securing the IP layer traffic.

• IPsec:
    • Encapsulated Security Payload (ESP)
    • Authentication Header (AH)
    • Modes: Transport, Tunneling

• Key functionality:
    •   Confidentiality of data
    •   Authenticity of the sender
    •   Integrity of data
    •   Replay protection

 IPsec is designed to prevent behavior that NAT is performing for packets.
INTRODUCTION

• Tunnel mode:
   • IP header and the payload is encrypted
   • Protection for the whole packet
   • Encapsulated with AH/ESP header and additional IP header
   • IP addresses in outer IP header are the tunnel end points.


• Transport mode
   • Payload is encrypted
   • Protection of the payload
   • Located between IP header and transport header (TCP/UDP)
   • Default mode for IPsec
   • Used for end-to-end communications
INTRODUCTION

IKE:
• Internet Key Exchange for IPsec
    • 1st phase: SA and key exchange protocol (ISAKMP) establishes the a secure
      authenticated channel for further negotiation traffic, and defines the SA used during
      negotiations.
    • 2nd phase: SA is negotiated used by IPsec.
• Normal IKE traffic is performed over UDP to port 500.
• Non-ESP-marker field that allows a recipient to distinguish between UDP
  encapsulated ESP PDU and an IKE message.


• IKE includes new payloads
    • Vendor ID: hash value (indicates the capability for NAT-T)
    • NAT-OA (Original Address)
Problems: IPsec over NAT

1. AH incompatible with NAT (the whole packet is encrypted, HMAC).


2. NATs cannot update upper-layer checksums


3. IKE UDP port number cannot be changed


4. NATs cannot multiplex IPsec data streams


5. NAT timeout of IKE UDP port mapping can cause problems


6. Identification IKE payload contains IKE embedded IP addresses.
NAT-T: UDP encapsulation of IPsec ESP packets

•   ESP: Only payload is encrypted
 NAT-T adds a UDP header that encapsulates the ESP header.


Functionality: (during initial IPSec negotiation)
1. If peers has NAT-T capability
2. NAT router in the middle of the path between the peers
 Otherwise normal IPsec operations
ENCAPSULATION
NAT-T SOLUTIONS

1) A receiving peer gets all required information for verification process of upper-
   layer checksum (IKE payload: NAT-OA payload).
2) A receiving peer has the original IP address where it can verify the contents of
   the identification IKE payload during quick mode negotiation.
3) IPsec peers can accept IKE messages from different source port than 500 ->
   IKE UDP port 4500 is used.
4) NAT router uses the UDP ports for multiplexing of the IPsec data streams.
5) NAT-T introduces keep alive messages.
NAT-T PROBLEMS                                                NAT 1




                                                                          Server
• Tunnel mode conflict
                                            10.1.2.3
                                                                         (Security
                                                              NAT 2      Gateway)


 Remote peers may negotiate entries that
 overlap when tunnel mode is used.
                                            10.1.2.3




• Transport mode conflict
 May occur when two peers behind NAT
 routers are in communication with same          10.1.2.3
 server. Server may get confused which SA                        NAT 2


 is belonging to which client.                                             Server


                                                 10.1.2.4




                                                   10.1.2.5
CONCLUSIONS

• AH incompatible, ESP can be used.
• NAT-T solution uses ESP
    • UDP/TCP
    • IPv6


• NAT-T working solution with some problems.
    • PATH: Client->NAT->Internet->Server
        • Only supported model


• NAT-T supported in SP2, disenabled as default.
Thank You!

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:4
posted:7/12/2011
language:English
pages:15