Presentation is loading. Please wait.

Presentation is loading. Please wait.

SEC406 IPsec And NATs: Finally In harmony? Steve Riley Product Manager Security Business Unit Microsoft Corporation.

Published byColleen Neal Modified over 8 years ago

Similar presentations

Presentation on theme: "SEC406 IPsec And NATs: Finally In harmony? Steve Riley Product Manager Security Business Unit Microsoft Corporation."— Presentation transcript:

1 SEC406 IPsec And NATs: Finally In harmony? Steve Riley Product Manager Security Business Unit Microsoft Corporation

2 Agenda NATs + IPsec clashes to address NATs + IPsec clashes to address Solution Model Solution Model Details Details Scope of Applicability Scope of Applicability Product Availability Product Availability References References

3 Integrity hash coverage (except mutable IP hdr fields) NAT + IPsec Clashes NATNAT Orig IP Hdr TCP Hdr Data Next Hdr Payload Len RsrvSecParamIndex Keyed Hash Seq# 24 bytes total AH is IP protocol 51 Insert AH Hdr Data TCP Hdr Orig IP Hdr NAT1 Hdr NAT header modification breaks AH Integrity Hash NAT2 Hdr NAT1 Hdr NAT2 Hdr Problem 1: AH Violation

4 Policy:CA1CA3 Policy: Use CA CA1 CA Cert1 CA Cert2 KE, Nonce NAT + IPsec Clashes KE, CRPs, Nonce Trusted Root machine cert Personal Personal CA Cert1 CA Cert3 Trusted Root ID, Cert, Sig, CRPs CA1 SA, VendorID Request security SA, VendorID OK to secure NATNAT Problem 2: IKE Fragments Cert payload exceeds IP frameCert payload exceeds IP frame IKE generates IP fragmentsIKE generates IP fragments NAT (or switch) discards fragmentNAT (or switch) discards fragment Fragment dropping breaks IKE

5 NAT + IPsec Clashes NAT Problem 3: IPsec tunnel mode “helper” in NAT Semi-static NAT Map Protocol IPsec to AProtocol IPsec to A IKE set-up PC A IKE set-up PC B Return path To PC A NAT Helper Issues: Designed only for tunnel mode but acts on transport modeDesigned only for tunnel mode but acts on transport mode Blocks multiple IPsec sessions; first initiator gets all IPsecBlocks multiple IPsec sessions; first initiator gets all IPsec AB

6 IETF Process And Status Microsoft Microsoft  Approached IETF and other vendors  Developed solution and collaborated with other vendors IETF & other Vendors IETF & other Vendors  Agreed solution needed but disregarded fragment issue  Converged on draft02 as near final Microsoft Microsoft  Developed draft02 and interop tested with others  Added fragment support to meet customer needs IETF IETF  Draft02 progressed and updated some  In editors queue for RFC number assignment

7 Solution Model Detect NAT presence Detect NAT presence Move dialog to NAT’able port away from IPsec helper Move dialog to NAT’able port away from IPsec helper Encapsulate IPsec in UDP with smart dynamic port number management Encapsulate IPsec in UDP with smart dynamic port number management Prevent IP fragments (Microsoft) Prevent IP fragments (Microsoft)

8 IPsec Over NAT Solution NAT Main Mode Set-up: Discover what NAT-T support each side does NAT AN1N2B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 A initiates IKE to “N2” (B) UDP src 500, dst 500 A, N2 NAT-T, MS-Frag, MS-Non500 A -> NAT UDP src 500, dst 500 A, N2 NAT-T, MS-Frag, MS-Non500 N1 -> N2 N1, N2 UDP src 7777, dst 500 NAT-T, MS-Frag, MS-Non500 N2 -> B Note: Port 500 = IKE src 7777 src 7777N1 B

9 IPsec Over NAT Solution NAT Main Mode Set-up: Discover what NAT-T support each side does NAT AN1N2B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 B replies to “N1” (A) UDP src 500, dst 7777 B, N1 NAT-T, MS-Frag, MS-Non500 B -> NAT B, N1 UDP src 500, dst 7777 NAT-T, MS-Frag, MS-Non500 N2 -> N1 N2, N1 UDP src 500, dst 7777 NAT-T, MS-Frag, MS-Non500 N1 -> A dst 500 dst 500A N2

10 UDP src 7777, dst 500 I’m A, You’re N2 N2 -> B N1, N2 A, N2 I’m A, You’re N2 N1 -> N2 UDP src 500, dst 500 IPsec Over NAT Solution NAT Main Mode Set-up: Discover NATs are in the middle NAT AN1N2B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 A sends NAT info to N2 B’s Note to self: “I’m behind a NAT (N2). N1 is really A…” UDP src 500, dst 500 A, N2 I’m A, You’re N2 A -> NAT src 7777 src 7777N1 B

11 IPsec Over NAT Solution NAT Main Mode Set-up: Discover NATs are in the middle NAT AN1N2B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 B replies to “N1” (A) A’s Note to self: “I’m behind NAT N1. N2 is really B…” UDP src 500, dst 7777 B, N1 I’m B, You’re N1 B -> NAT B, N1 UDP src 500, dst 7777 I’m B, You’re N1 N2 -> N1 N2, N1 UDP src 500, dst 7777 I’m B, You’re N1 N1 -> A dst 500 dst 500A N2

12 UDP src 4500, dst 4500 A, N2 ID, Cert, Sig A -> NAT UDP src 4500, dst 4500 A, N2 ID, Cert, Sig N1 -> N2 UDP src 8888, dst 4500 N1, N2 ID, Cert, Sig N2 -> B IPsec Over NAT Solution NAT Main Mode Set-up: Avoid Fragments and Move to 4500 NAT AN1N2B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 A sends ID info IKE Frag 1, 2, … src 8888 src 8888N1 B

13 IPsec Over NAT Solution NAT Main Mode Set-up: Avoid fragments and move to 4500 NAT AN1N2B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 B replies to “N1” (A) UDP src 4500, dst 8888 B, N1 ID, Cert, Sig B -> NAT UDP src 4500, dst 8888 B, N1 ID, Cert, Sig N2 -> N1 UDP src 4500, dst 8888 N2, N1 ID, Cert, Sig N1 -> A IKE Frag 1, 2, … dst 8888 dst 8888 A N2

14 Integrity hash coverage (except mutable IP hdr fields) NAT + IPsec Solution NATNAT Orig IP Hdr TCP Hdr Data Next Hdr Payload Len RsrvSecParamIndex Keyed Hash Seq# 24 bytes total AH is IP protocol 51 Insert ESPAH Hdr Data TCP Hdr Orig IP Hdr UDP Encapsulation: Sending Data

15 NAT + IPsec Solution NATNAT Orig IP Hdr TCP Hdr Data Insert ESPAH Hdr Data TCP Hdr Orig IP Hdr UDP Encapsulation: Sending Data UDP src 4500, dst 4500 8 bytes 0x00 ESPAHRest… Orig IP Hdr Insert UDP src XXX, dst XXX 8 bytes 0x00 ESPAH TCP Hdr Orig IP Hdr ESPAHRest… NAT1 Hdr NAT2 Hdr ESPAHRest… B’s Note to self: “N1 is really A… Find SA for A B & fix”

16 A sends data IPsec Over NAT Solution NAT Send Data NAT AN1N2B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 B’s Note to self: “N1 is really A… Find SA for A B” UDP src 4500, dst 4500 A, N2 8 bytes 0x00 ESP …rest of IPsec packet UDP src 8888, dst 4500 N1, N2 8 bytes 0x00 ESP …rest of IPsec packet UDP src 8888, dst 4500 N1, B 8 bytes 0x00 ESP …rest of IPsec packet src 8888 src 8888N1 B

17 IPsec Over NAT Solution UDP src 4500, dst 4500 IP 8 bytes 0x00 ESP …rest of IPsec packet Increased packet size may generate Path MTU size error L2TP receives PMTU error and corrects L2TP receives PMTU error and corrects General PMTU correction needed for non-L2TP traffic General PMTU correction needed for non-L2TP traffic Microsoft implementations Microsoft implementations  For clients, met goal to make RAS VPN work  No general solution for now  For Windows Server 2003, general case covered  Done for server-to-server scenarios (e.g. DC-DC) UDP Encapsulation: Implementation Detail—Path MTU

18 UDP src 4500, dst 4500 A, N2 UDP-ESP Options A -> NAT UDP src 4500, dst 4500 A, N2 UDP-ESP Options N1 -> N2 UDP src 8888, dst 4500 N1, N2 UDP-ESP Options N2 -> B IPsec Over NAT Solution NAT Quickmode NAT AN1N2B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 A sends quickmode IKE Frag 1, 2, … src 8888 src 8888N1 B

19 IPsec Over NAT Solution NAT Main Mode Set-up: Avoid fragments and move to 4500 NAT AN1N2B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 B replies to “N1” (A) UDP src 4500, dst 8888 B, N1 UDP-ESP Selections B -> NAT UDP src 4500, dst 8888 B, N1 UDP-ESP Selections N2 -> N1 UDP src 4500, dst 8888 N2, N1 UDP-ESP Selections N1 -> A IKE Frag 1, 2, … dst 8888 dst 8888 A N2 One more mutual exchange of new hash…

20 IPsec NAT Traversal Status Driven by need for remote access over IPsec-based VPNs Driven by need for remote access over IPsec-based VPNs Implemented to IETF Proposed Standard (Draft-02) Implemented to IETF Proposed Standard (Draft-02) Interoperability tested with 3 rd party gateways for L2TP/IPsec Interoperability tested with 3 rd party gateways for L2TP/IPsec Intended for L2TP/IPsec in WindowsXP and earlier Intended for L2TP/IPsec in WindowsXP and earlier Intended for all IPsec usages in Windows Server 2003 Intended for all IPsec usages in Windows Server 2003 Operating System Support Operating System Support OS Version L2TP/IPsec Support General IPsec Transport Mode Support Windows Server 2003 Yes Yes 4 Windows XP Yes 1 Not recommended 5 Windows 2000 Yes 2 No Windows NT4 Yes 3 No Windows 98/Me Yes 3 No Note 1: Windows Update or QFE Note 2: QFE Note 3: With web download Note 4: Active FTP will not work Note 5: Some PTMU reductions do not work

21 Standards Status Draft-02 was best available during ship time-windows Draft-02 was best available during ship time-windows  Microsoft and others have implemented  Usable now RFC version in review now RFC version in review now  Changes some minor details in standard numbers  Microsoft will adopt in future releases

22 References IETF NAT Traversal Draft IETF NAT Traversal Draft  Negotiation of NAT-Traversal in the IKE http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-05.txt Other Relevant IETF NAT-T Information Other Relevant IETF NAT-T Information  IPsec-NAT Compatibility Requirements http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-04.txt  UDP Encapsulation of IPsec Packets http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-06.txt Windows98/ME/NT4 NAT-T Web download Windows98/ME/NT4 NAT-T Web download http://download.microsoft.com/download/win98/Install/1.0/W9XNT4Me/EN-US/msl2tp.exe General Information General Information http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/cableguy/cg0502.asp http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp

23 Next steps Eliminate NAT as a barrier for L2TP+IPsec VPN deployment Eliminate NAT as a barrier for L2TP+IPsec VPN deployment Plan to migrate away from 9x/NT and PPTP to XP and IPsec with NAT-T Plan to migrate away from 9x/NT and PPTP to XP and IPsec with NAT-T

24 Community Resources Newsgroups Newsgroups  microsoft.public.win2000.security

25 Ask The Experts Get Your Questions Answered Talk one-on-one with a community of your peers Talk one-on-one with a community of your peers  Community Experts: Microsoft product teams, consultants and Tech*Ed speakers  Resources: whiteboards, internet, etc.  Location: in the middle of the Exhibit Hall  Hours: at least 12-3:30p every day I will be available in the ATE area after this session

26 Suggested Reading And Resources Microsoft Press books are 20% off at the TechEd Bookstore and also at the Ask the Experts area in the Expo Hall Microsoft Press books are 20% off at the TechEd Bookstore and also at the Ask the Experts area in the Expo Hall Visit Amazon.com today to receive 40% off selected titles Visit Amazon.com today to receive 40% off selected titles The tools you need to put technology to work! TITLE AvailablePrice Microsoft® Windows® Security Resource Kit:0-7356-1868-2 Today $49.99 Microsoft® Windows® Server 2003 Administrator's Companion: 0-7356-1367-2 Today $69.99

27 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "SEC406 IPsec And NATs: Finally In harmony? Steve Riley Product Manager Security Business Unit Microsoft Corporation."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
CMSC 414 Computer (and Network) Security Lecture 25 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 25 Jonathan Katz.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
NetComm Wireless VPN Functionality Feature Spotlight.

NetComm Wireless VPN Functionality Feature Spotlight.

Similar presentations

Ads by Google