1 / 15

NAT TRAVERSAL FOR IPSEC

NAT TRAVERSAL FOR IPSEC. Research Seminar on Datacommunications Software HIIT 09.11.2005. PRESENTATION. Introduction NAT IPsec Problems NAT-T NAT-T solution (s) Conclusions. INTRODUCTION. NAT:

wynona
Download Presentation

NAT TRAVERSAL FOR IPSEC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005

  2. PRESENTATION • Introduction • NAT • IPsec • Problems • NAT-T • NAT-T solution (s) • Conclusions

  3. INTRODUCTION NAT: • NAT is router function that provides the network address translation between private and public IPv4 addresses. • IPv4 address space is limited • Implementations: Static and dynamic • NAT changes the source IP address of the packet.

  4. INTRODUCTION IPsec: • IPsec is an Internet standard and a security framework for securing the IP layer traffic. • IPsec: • Encapsulated Security Payload (ESP) • Authentication Header (AH) • Modes: Transport, Tunneling • Key functionality: • Confidentiality of data • Authenticity of the sender • Integrity of data • Replay protection • IPsec is designed to prevent behavior that NAT is performing for packets.

  5. INTRODUCTION • Tunnel mode: • IP header and the payload is encrypted • Protection for the whole packet • Encapsulated with AH/ESP header and additional IP header • IP addresses in outer IP header are the tunnel end points. • Transport mode • Payload is encrypted • Protection of the payload • Located between IP header and transport header (TCP/UDP) • Default mode for IPsec • Used for end-to-end communications

  6. INTRODUCTION IKE: • Internet Key Exchange for IPsec • 1st phase: SA and key exchange protocol (ISAKMP) establishes the a secure authenticated channel for further negotiation traffic, and defines the SA used during negotiations. • 2nd phase: SA is negotiated used by IPsec. • Normal IKE traffic is performed over UDP to port 500. • Non-ESP-marker field that allows a recipient to distinguish between UDP encapsulated ESP PDU and an IKE message. • IKE includes new payloads • Vendor ID: hash value (indicates the capability for NAT-T) • NAT-OA (Original Address)

  7. Problems: IPsec over NAT • AH incompatible with NAT (the whole packet is encrypted, HMAC). • NATs cannot update upper-layer checksums • IKE UDP port number cannot be changed • NATs cannot multiplex IPsec data streams • NAT timeout of IKE UDP port mapping can cause problems • Identification IKE payload contains IKE embedded IP addresses.

  8. NAT-T: UDP encapsulation of IPsec ESP packets • ESP: Only payload is encrypted • NAT-T adds a UDP header that encapsulates the ESP header. Functionality: (during initial IPSec negotiation) • If peers has NAT-T capability • NAT router in the middle of the path between the peers • Otherwise normal IPsec operations

  9. ENCAPSULATION

  10. NAT-T SOLUTIONS • A receiving peer gets all required information for verification process of upper-layer checksum (IKE payload: NAT-OA payload). • A receiving peer has the original IP address where it can verify the contents of the identification IKE payload during quick mode negotiation. • IPsec peers can accept IKE messages from different source port than 500 -> IKE UDP port 4500 is used. • NAT router uses the UDP ports for multiplexing of the IPsec data streams. • NAT-T introduces keep alive messages.

  11. NAT-T PROBLEMS • Tunnel mode conflict • Remote peers may negotiate entries that overlap when tunnel mode is used. • Transport mode conflict • May occur when two peers behind NAT routers are in communication with same server. Server may get confused which SA is belonging to which client.

  12. CONCLUSIONS • AH incompatible, ESP can be used. • NAT-T solution uses ESP • UDP/TCP • IPv6 • NAT-T working solution with some problems. • PATH: Client->NAT->Internet->Server • Only supported model • NAT-T supported in SP2, disenabled as default.

  13. Thank You!

More Related