SEC406 IPsec and NAT-T: Finally in harmony? Steve Riley Microsoft Corporation Agenda NATs + IPSec clashes to fix Solution model Details Scope of applicability Product availability References NAT + IPSec Clashes Problem 1: AH Violation NAT NAT Orig IP Hdr TCP Hdr Data Insert Orig IP Hdr AH Hdr Data TCP Hdr Integrity hash coverage (except mutable IP hdr fields) Next Hdr Payload Len AH is IP protocol 51 Rsrv SecParamIndex Seq# Keyed Hash 24 bytes total NAT header modification breaks AH Integrity Hash NAT + IPSec Clashes Problem 2: IKE Fragments NAT Request security NAT SA, VendorID SA, VendorID OK to secure KE, Nonce Policy: Use CA CA1 KE, CRPs, Nonce ID, Cert, Sig, CRPs Trusted Root CA Cert1 CA Cert2 Policy: CA1 CA3 CA1 • Cert payload exceeds IP frame • IKE generates IP fragments • NAT (or switch) discards fragment Personal machine cert Trusted Root Personal machine cert Fragment dropping breaks IKE CA Cert1 CA Cert3 NAT + IPSec Clashes Problem 3: IPSec tunnel mode “helper” in NAT A NAT B IKE set-up PC A NAT Helper Issues: • Designed only for tunnel mode but acts on transport mode • Blocks multiple IPSec sessions; first initiator gets all IPSec Semi-static NAT Map • Protocol IPSec to A IKE set-up PC B Return path To PC A IETF Process and Status Microsoft Approached IETF and other vendors Developed solution and collaborated with other vendors IETF & other Vendors Agreed solution needed but disregarded fragment issue Converged on draft02 as near final Microsoft Developed draft02 and interop tested with others Added fragment support to meet customer needs IETF Draft02 progressed and updated some In editors queue for RFC number assignment Solution Model Detect NAT presence Move dialog to NAT’able port away from IPSec helper Encapsulate IPSec in UDP with smart dynamic port number management Prevent IP fragments (Microsoft) IPSec over NAT Solution Main Mode Set-up: Discover what NAT-T support each side does NAT A N1 N2 A initiates IKE to “N2” (B) B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 A -> NAT A, N2 UDP src 500, dst 500 NAT-T, MS-Frag, 4500/udp N1 -> N2 A, N2 N1 UDP src src 500 7777, dst 500 NAT-T, MS-Frag, 4500/udp N2 -> B N1, N2 B UDP src 7777, dst 500 NAT-T, MS-Frag, 4500/udp Note: Port 500 = IKE NAT IPSec over NAT Solution Main Mode Set-up: Discover what NAT-T support each side does A NAT N1 N2 B replies to “N1” (A) B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 B -> NAT B, N1 UDP src 500, dst 7777 NAT-T, MS-Frag, 4500/udp N2 -> N1 N2 B, N1 UDP src 500, dst 7777 NAT-T, MS-Frag, 4500/udp A UDP src 500, dst dst7777 500 N2, N1 NAT-T, MS-Frag, 4500/udp N1 -> A NAT IPSec over NAT Solution Main Mode Set-up: Discover NATs are in the middle A NAT N1 N2 NAT B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 A sends NAT info to N2 A -> NAT A, N2 UDP src 500, dst 500 I’m A, You’re N2 N1 -> N2 A, N2 N1 UDP src 7777 500, dst 500 I’m A, You’re N2 N2 -> B N1, N2 B UDP src 7777, dst 500 I’m A, You’re N2 B’s Note to self: “I’m behind a NAT (N2). N1 is really A…” IPSec over NAT Solution Main Mode Set-up: Discover NATs are in the middle A NAT N1 N2 B replies to “N1” (A) B -> NAT B, N1 UDP src 500, dst 7777 I’m B, You’re N1 N2 -> N1 N2 B, N1 UDP src 500, dst 7777 I’m B, You’re N1 A UDP src 500, dst dst7777 500 N2, N1 I’m B, You’re N1 N1 -> A NAT B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 A’s Note to self: “I’m behind NAT N1. N2 is really B…” IPSec over NAT Solution Main Mode Set-up: Avoid Fragments and Move to 4500 A NAT N1 N2 NAT B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 A sends ID info A -> NAT A, N2 UDP src 4500, dst 4500 ID, Cert, Sig IKE Frag 1, 2, … N1 -> N2 A, N2 UDP src N1 src4500, 8888dst 4500 ID, Cert, Sig IKE Frag 1, 2, … N2 -> B N1, N2 B UDP src 8888, dst 4500 ID, Cert, Sig IKE Frag 1, 2, … IPSec over NAT Solution Main Mode Set-up: Avoid fragments and move to 4500 A NAT N1 N2 B replies to “N1” (A) NAT B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 B -> NAT B, N1 UDP src 4500, dst 8888 ID, Cert, Sig IKE Frag 1, 2, … N2 -> N1 B, N1 UDP src 4500, dst 8888 N2 ID, Cert, Sig IKE Frag 1, 2, … N2, N1 dst8888 8888 A UDP src 4500,dst ID, Cert, Sig IKE Frag 1, 2, … N1 -> A NAT + IPSec Solution UDP Encapsulation: Sending Data NAT NAT Orig IP Hdr TCP Hdr Data Insert Orig IP Hdr ESP Hdr Data TCP Hdr Integrity hash coverage (except mutable IP hdr fields) Next Hdr Payload Len AH is IP protocol 51 Rsrv SecParamIndex Seq# 24 bytes total Keyed Hash NAT + IPSec Solution UDP Encapsulation: Sending Data NAT NAT Orig IP Hdr TCP Hdr Data Insert Orig IP Hdr ESP Hdr Data TCP Hdr Insert Orig IP Hdr UDP src 4500, dst 4500 ESP Hdr Rest… Sent by A Orig IP Hdr UDP src XXX, dst 4500 ESP Hdr Rest… Rcvd by B Orig IP Hdr UDPESP Hdr B’s Note to self: “N1 is really A… Find SA for A<->B & fix” IPSec over NAT Solution Send Data A NAT N1 N2 NAT B Static Map: N2, 500 -> B, 500 N2, 4500 -> B, 4500 A sends data A, N2 UDP src 4500, dst 4500 ESP …rest of IPsec packet N1, N2 UDP src N1 src 8888, 8888 dst 4500 ESP …rest of IPsec packet N1, B UDP src 8888, dst 4500 ESP …rest of IPsec packet B’s Note to self: “N1 is really A… Find SA for A<->B” IPSec over NAT Solution UDP Encapsulation: Implementation Detail—Path MTU IP UDP src 4500, dst 4500 ESP …rest of IPsec packet Increased packet size may generate Path MTU size error L2TP receives PMTU error and corrects General PMTU correction needed for non-L2TP traffic Microsoft implementations For clients, met goal to make RAS VPN work No general solution for now For Windows Server 2003, general case covered Done for server-to-server scenarios (e.g. DC-DC) IPsec NAT Traversal Status Driven by need for remote access over IPSec-based VPNs Implemented to IETF Proposed Standard (Draft-02) Interoperability tested with 3rd party gateways for L2TP/IPSec Intended for L2TP/IPsec in WindowsXP and earlier Intended for all IPsec usages in Windows Server 2003 Operating System Support L2TP/IPsec Support General IPsec Transport Mode Support Windows Server 2003 Yes Yes4 Windows XP Yes1 Not recommended5 Windows 2000 Yes2 No Windows NT4 Yes3 No Windows 98/Me Yes3 No OS Version Note 1: Windows Update or QFE Note 2: QFE Note 3: With web download Note 4: Active FTP will not work Note 5: Some PTMU reductions do not work Standards Status Draft-02 was best available during ship time-windows Microsoft and others have implemented Usable now RFC version in review now Changes some minor details in standard numbers Microsoft will adopt in future releases Qualcomm "“NAT-T support is important to enterprises because of today’s diverse network topologies,” says Joshua Davis, CISSP, CISA, staff IT security engineer and manager for QUALCOMM. “We never know what environment an end user will be in when they need to access our information or how their local network is configured. NAT-T gives us the functionality to provide access to any remote user and IPSec provides outstanding security. We’ve been using the beta version of Microsoft’s NAT-T technology and we have high confidence in it. We’re looking forward to a broad deployment of the official clients.” Next steps Move to Windows Server 2003 for VPN gateway with RRAS Move to Windows XP or Windows 2000 for VPN clients If absolutely required, download and use Windows 98 or Windows NT client Move to L2TP/IPSec for RAS VPN Download Windows XP client and Windows 2000 Client update References IETF NAT Traversal Draft Negotiation of NAT-Traversal in the IKE http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-05.txt Other Relevant IETF NAT-T Information IPsec-NAT Compatibility Requirements http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-04.txt UDP Encapsulation of IPsec Packets http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-06.txt Windows98/ME/NT4 NAT-T Web download http://download.microsoft.com/download/win98/Install/1.0/W9XNT4Me/EN-US/msl2tp.exe General Information http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/cableguy/cg0502.asp http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp Community Resources Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx Suggested Reading And Resources The tools you need to put technology to work! TITLE Microsoft® Windows® Security Resource Kit:0-7356-1868-2 Microsoft® Windows® Server 2003 Administrator's Companion: 0-7356-1367-2 Available Today Today Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt evaluations © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.