1. NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005

2. PRESENTATION Introduction NAT IPsec Problems NAT-T NAT-T solution (s) Conclusions

3. INTRODUCTION NAT: NAT is router function that provides the network address translation between private and public IPv4 addresses. IPv4 address space is limited Implementations: Static and dynamic  NAT changes the source IP address of the packet.

4. INTRODUCTION IPsec: IPsec is an Internet standard and a security framework for securing the IP layer traffic. IPsec: Encapsulated Security Payload (ESP) Authentication Header (AH) Modes: Transport, Tunneling Key functionality: Confidentiality of data Authenticity of the sender Integrity of data Replay protection  IPsec is designed to prevent behavior that NAT is performing for packets.

5. INTRODUCTION Tunnel mode: IP header and the payload is encrypted Protection for the whole packet Encapsulated with AH/ESP header and additional IP header IP addresses in outer IP header are the tunnel end points. Transport mode Payload is encrypted Protection of the payload Located between IP header and transport header (TCP/UDP) Default mode for IPsec Used for end-to-end communications

7. INTRODUCTION IKE: Internet Key Exchange for IPsec 1 st phase: SA and key exchange protocol (ISAKMP) establishes the a secure authenticated channel for further negotiation traffic, and defines the SA used during negotiations. 2 nd phase: SA is negotiated used by IPsec. Normal IKE traffic is performed over UDP to port 500. Non-ESP-marker field that allows a recipient to distinguish between UDP encapsulated ESP PDU and an IKE message. IKE includes new payloads Vendor ID: hash value (indicates the capability for NAT-T) NAT-OA (Original Address)

9. Problems: IPsec over NAT 1.AH incompatible with NAT (the whole packet is encrypted, HMAC). 2.NATs cannot update upper-layer checksums 3.IKE UDP port number cannot be changed 4.NATs cannot multiplex IPsec data streams 5.NAT timeout of IKE UDP port mapping can cause problems 6.Identification IKE payload contains IKE embedded IP addresses.

10. NAT-T: UDP encapsulation of IPsec ESP packets ESP: Only payload is encrypted  NAT-T adds a UDP header that encapsulates the ESP header. Functionality: (during initial IPSec negotiation)  If peers has NAT-T capability  NAT router in the middle of the path between the peers  Otherwise normal IPsec operations

11. ENCAPSULATION

12. NAT-T SOLUTIONS 1)A receiving peer gets all required information for verification process of upper- layer checksum (IKE payload: NAT-OA payload). 2)A receiving peer has the original IP address where it can verify the contents of the identification IKE payload during quick mode negotiation. 3)IPsec peers can accept IKE messages from different source port than 500 -> IKE UDP port 4500 is used. 4)NAT router uses the UDP ports for multiplexing of the IPsec data streams. 5)NAT-T introduces keep alive messages.

13. NAT-T PROBLEMS Tunnel mode conflict  Remote peers may negotiate entries that overlap when tunnel mode is used. Transport mode conflict  May occur when two peers behind NAT routers are in communication with same server. Server may get confused which SA is belonging to which client.

14. CONCLUSIONS AH incompatible, ESP can be used. NAT-T solution uses ESP UDP/TCP IPv6 NAT-T working solution with some problems. PATH: Client->NAT->Internet->Server Only supported model NAT-T supported in SP2, disenabled as default.

15. Thank You!