Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Document

SEC406
IPsec and NAT-T:
Finally in harmony?
Steve Riley
Microsoft Corporation
Agenda
NATs + IPSec clashes to fix
Solution model
Details
Scope of applicability
Product availability
References
NAT
+
IPSec
Clashes
Problem 1: AH Violation
NAT
NAT
Orig IP Hdr
TCP Hdr
Data
Insert
Orig IP Hdr
AH Hdr
Data
TCP Hdr
Integrity hash coverage
(except mutable IP hdr fields)
Next Hdr
Payload Len
AH is IP protocol 51
Rsrv
SecParamIndex
Seq#
Keyed Hash
24 bytes total
NAT header modification breaks AH Integrity Hash
NAT + IPSec Clashes
Problem 2: IKE Fragments
NAT
Request security
NAT
SA, VendorID
SA, VendorID
OK to secure
KE, Nonce
Policy:
Use CA
CA1
KE, CRPs, Nonce
ID, Cert, Sig, CRPs
Trusted Root
CA Cert1
CA Cert2
Policy:
CA1
CA3
CA1
• Cert payload exceeds IP frame
• IKE generates IP fragments
• NAT (or switch) discards fragment
Personal
machine cert
Trusted Root
Personal
machine cert
Fragment dropping breaks IKE
CA Cert1
CA Cert3
NAT
+
IPSec
Clashes
Problem 3: IPSec tunnel mode “helper” in NAT
A
NAT
B
IKE set-up PC A
NAT Helper Issues:
• Designed only for tunnel mode
but acts on transport mode
• Blocks multiple IPSec sessions;
first initiator gets all IPSec
Semi-static NAT Map
• Protocol IPSec to A
IKE set-up PC B
Return path
To PC A
IETF Process and Status
Microsoft
Approached IETF and other vendors
Developed solution and collaborated with other vendors
IETF & other Vendors
Agreed solution needed but disregarded fragment issue
Converged on draft02 as near final
Microsoft
Developed draft02 and interop tested with others
Added fragment support to meet customer needs
IETF
Draft02 progressed and updated some
In editors queue for RFC number assignment
Solution Model
Detect NAT presence
Move dialog to NAT’able port away from
IPSec helper
Encapsulate IPSec in UDP with smart
dynamic port number management
Prevent IP fragments (Microsoft)
IPSec
over
NAT
Solution
Main Mode Set-up: Discover what NAT-T support each side does
NAT
A
N1
N2
A initiates IKE to “N2” (B)
B
Static Map:
N2, 500 -> B, 500
N2, 4500 -> B, 4500
A -> NAT
A, N2
UDP src 500, dst 500
NAT-T, MS-Frag,
4500/udp
N1 -> N2
A, N2
N1
UDP src
src 500
7777, dst 500
NAT-T, MS-Frag,
4500/udp
N2 -> B
N1, N2
B UDP src 7777, dst 500
NAT-T, MS-Frag,
4500/udp
Note: Port 500 = IKE
NAT
IPSec
over
NAT
Solution
Main Mode Set-up: Discover what NAT-T support each side does
A
NAT
N1
N2
B replies to “N1” (A)
B
Static Map:
N2, 500 -> B, 500
N2, 4500 -> B, 4500
B -> NAT
B, N1
UDP src 500, dst 7777
NAT-T, MS-Frag,
4500/udp
N2 -> N1
N2
B, N1
UDP src 500, dst 7777
NAT-T, MS-Frag,
4500/udp
A UDP src 500, dst
dst7777
500
N2, N1
NAT-T, MS-Frag,
4500/udp
N1 -> A
NAT
IPSec
over
NAT
Solution
Main Mode Set-up: Discover NATs are in the middle
A
NAT
N1
N2
NAT
B
Static Map:
N2, 500 -> B, 500
N2, 4500 -> B, 4500
A sends NAT info to N2
A -> NAT
A, N2
UDP src 500, dst 500
I’m A,
You’re N2
N1 -> N2
A, N2
N1
UDP src 7777
500, dst 500
I’m A,
You’re N2
N2 -> B
N1, N2
B UDP src 7777, dst 500
I’m A,
You’re N2
B’s Note to self: “I’m behind a NAT (N2). N1 is really A…”
IPSec
over
NAT
Solution
Main Mode Set-up: Discover NATs are in the middle
A
NAT
N1
N2
B replies to “N1” (A)
B -> NAT
B, N1
UDP src 500, dst 7777
I’m B,
You’re N1
N2 -> N1
N2
B, N1
UDP src 500, dst 7777
I’m B,
You’re N1
A UDP src 500, dst
dst7777
500
N2, N1
I’m B,
You’re N1
N1 -> A
NAT
B
Static Map:
N2, 500 -> B, 500
N2, 4500 -> B, 4500
A’s Note to self: “I’m behind NAT N1. N2 is really B…”
IPSec
over
NAT
Solution
Main Mode Set-up: Avoid Fragments and Move to 4500
A
NAT
N1
N2
NAT
B
Static Map:
N2, 500 -> B, 500
N2, 4500 -> B, 4500
A sends ID info
A -> NAT
A, N2 UDP src 4500, dst 4500
ID, Cert, Sig
IKE Frag 1, 2, …
N1 -> N2
A, N2 UDP src
N1
src4500,
8888dst 4500
ID, Cert, Sig
IKE Frag 1, 2, …
N2 -> B
N1, N2
B UDP src 8888, dst 4500
ID, Cert, Sig
IKE Frag 1, 2, …
IPSec
over
NAT
Solution
Main Mode Set-up: Avoid fragments and move to 4500
A
NAT
N1
N2
B replies to “N1” (A)
NAT
B
Static Map:
N2, 500 -> B, 500
N2, 4500 -> B, 4500
B -> NAT
B, N1 UDP src 4500, dst 8888
ID, Cert, Sig
IKE Frag 1, 2, …
N2 -> N1
B, N1 UDP src 4500, dst 8888
N2
ID, Cert, Sig
IKE Frag 1, 2, …
N2, N1
dst8888
8888
A UDP src 4500,dst
ID, Cert, Sig
IKE Frag 1, 2, …
N1 -> A
NAT
+
IPSec
Solution
UDP Encapsulation: Sending Data
NAT
NAT
Orig IP Hdr
TCP Hdr
Data
Insert
Orig IP Hdr
ESP Hdr
Data
TCP Hdr
Integrity hash coverage
(except mutable IP hdr fields)
Next Hdr
Payload Len
AH is IP protocol 51
Rsrv
SecParamIndex
Seq#
24 bytes total
Keyed Hash
NAT
+
IPSec
Solution
UDP Encapsulation: Sending Data
NAT
NAT
Orig IP Hdr
TCP Hdr
Data
Insert
Orig IP Hdr
ESP Hdr
Data
TCP Hdr
Insert
Orig IP Hdr
UDP src 4500, dst 4500
ESP Hdr
Rest…
Sent by A
Orig IP Hdr
UDP src XXX, dst 4500
ESP Hdr
Rest…
Rcvd by B
Orig IP Hdr
UDPESP Hdr
B’s Note to self: “N1 is really A… Find SA for A<->B & fix”
IPSec
over
NAT
Solution
Send Data
A
NAT
N1
N2
NAT
B
Static Map:
N2, 500 -> B, 500
N2, 4500 -> B, 4500
A sends data
A, N2 UDP src 4500, dst 4500
ESP
…rest of IPsec packet
N1, N2 UDP src
N1
src 8888,
8888 dst 4500
ESP
…rest of IPsec packet
N1, B UDP src 8888, dst 4500
ESP
…rest of IPsec packet
B’s Note to self: “N1 is really A… Find SA for A<->B”
IPSec
over
NAT
Solution
UDP Encapsulation: Implementation Detail—Path MTU
IP
UDP src 4500, dst 4500
ESP
…rest of IPsec packet
Increased packet size may
generate Path MTU size error
L2TP receives PMTU error and corrects
General PMTU correction needed for non-L2TP traffic
Microsoft implementations
For clients, met goal to make RAS VPN work
No general solution for now
For Windows Server 2003, general case covered
Done for server-to-server scenarios (e.g. DC-DC)
IPsec NAT Traversal Status
Driven by need for remote access over IPSec-based VPNs
Implemented to IETF Proposed Standard (Draft-02)
Interoperability tested with 3rd party gateways for L2TP/IPSec
Intended for L2TP/IPsec in WindowsXP and earlier
Intended for all IPsec usages in Windows Server 2003
Operating System Support
L2TP/IPsec Support
General IPsec Transport
Mode Support
Windows Server 2003
Yes
Yes4
Windows XP
Yes1
Not recommended5
Windows 2000
Yes2
No
Windows NT4
Yes3
No
Windows 98/Me
Yes3
No
OS Version
Note 1: Windows Update or QFE
Note 2: QFE
Note 3: With web download
Note 4: Active FTP will not work
Note 5: Some PTMU reductions do not work
Standards Status
Draft-02 was best available during ship
time-windows
Microsoft and others have implemented
Usable now
RFC version in review now
Changes some minor details in standard
numbers
Microsoft will adopt in future releases
Qualcomm
"“NAT-T support is important to enterprises because of
today’s diverse network topologies,” says Joshua
Davis, CISSP, CISA, staff IT security engineer and
manager for QUALCOMM. “We never know what
environment an end user will be in when they need to
access our information or how their local network is
configured. NAT-T gives us the functionality to provide
access to any remote user and IPSec provides
outstanding security. We’ve been using the beta
version of Microsoft’s NAT-T technology and we have
high confidence in it. We’re looking forward to a broad
deployment of the official clients.”
Next steps
Move to Windows Server 2003 for VPN
gateway with RRAS
Move to Windows XP or Windows 2000 for
VPN clients
If absolutely required, download and use
Windows 98 or Windows NT client
Move to L2TP/IPSec for RAS VPN
Download Windows XP client and Windows
2000 Client update
References
IETF NAT Traversal Draft
Negotiation of NAT-Traversal in the IKE
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-05.txt
Other Relevant IETF NAT-T Information
IPsec-NAT Compatibility Requirements
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-04.txt
UDP Encapsulation of IPsec Packets
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-06.txt
Windows98/ME/NT4 NAT-T Web download
http://download.microsoft.com/download/win98/Install/1.0/W9XNT4Me/EN-US/msl2tp.exe
General Information
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/cableguy/cg0502.asp
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp
Community Resources
Community Resources
http://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)
http://www.mvp.support.microsoft.com/
Newsgroups
Converse online with Microsoft Newsgroups, including Worldwide
http://www.microsoft.com/communities/newsgroups/default.mspx
User Groups
Meet and learn with your peers
http://www.microsoft.com/communities/usergroups/default.mspx
Suggested Reading And Resources
The tools you need to put technology to work!
TITLE
Microsoft® Windows® Security
Resource Kit:0-7356-1868-2
Microsoft® Windows® Server
2003 Administrator's
Companion: 0-7356-1367-2
Available
Today
Today
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
evaluations
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Related documents
Network Address Translation
Network Address Translation
Operating Systems - Shawlands Academy
Operating Systems - Shawlands Academy
File - DIVISION OF MALABON CITY
File - DIVISION OF MALABON CITY
Chapter 8
Chapter 8
Department of Computing Studies
Department of Computing Studies
Causes of the Civil War
Causes of the Civil War
Using NAT as a layer of defense
Using NAT as a layer of defense
Types of Computer - Shawlands Academy
Types of Computer - Shawlands Academy
Download