Network Computing | Workshop | Security | Why Can't IPsec and NAT Just Get Along? | Page 1 | November 27, 2000

NEWS BLOGS FORUMS NEWSLETTERS RESEARCH EVENTS DIGITAL LIBRARY CAREERS

Network Computing

IMMERSE YOURSELF:

SOA

|

Data Center

|

802.11n

|

Data Privacy

|

APO |

Virtualization

|

NAC

|

Security

|

Network Mgmt

|

Enterprise Apps

|

Storage & Servers


	W O R K S H O P

Why Can't IPsec and NAT Just Get Along? November 27, 2000 By Mike Fratto Both IPsec and NAT have been with us for some time, but making them play together has been hard work. To IP gurus, NAT (Network Address Translation) is an ugly kludge because it changes the way IP works at a fundamental level. To you, the network manager responsible for handling network-addressing issues, NAT is often your friend, regardless of whether you're at a large ISP or enterprise, or at an SME (small-to-medium enterprise). Why? Because NAT lets you hide networks and hosts in a variety of ways. Likewise, IPsec (IP security) is your friend because you can securely connect remote offices and users over the Internet. However, the architecture of the IPsec protocol suite and the dearth of IPsec-aware NAT devices have created problems in getting the two to work together seamlessly. The simplest solution is to have a broadband router that performs NAT and VPN (virtual private networking) on the same device, so you don't have to muck around making IPsec and NAT play nice. But because you don't always have that luxury, you should know about some of the ways vendors are addressing the IPsec-NAT issue and its implications. (For more information on NAT, see "Network Address Translation: Hiding in Plain Sight"; for more information on IPsec, see "Identifying a VPN for Your Company".) NAT Forms There are two primary NAT implementations. Dynamic address NAT assigns a temporary external IP address to a private IP address, translating only the IP address. Dynamic address NAT is used mostly in dial-up or in on-demand connections in which remote connections go up and down frequently (see "Dynamic Address NAT," at right). While the remote user is connected, he or she is assigned a single IP address; once that user disconnects, the IP address is released to be reused at a later time. NAPT (Network Address Port Translation) is the form of translation with which most people are familiar. NAPT is used almost exclusively by access devices designed to hide small-to-medium-sized networks behind a single public IP address. NAPT works by translating the source IP address and the source port number on the public interface (see "NAPT" graphic below). NAPT is especially useful when cable or DSL access is deployed, because many service providers charge extra for multiple computers to be connected to the Internet (though how many addresses you get and for how much is locale-specific). IPsec Modes Next, a general background on IPsec: There are two modes of IPsec. Transport mode simply applies IPsec protocols to an IP packet and leaves the original IP headers visible. Transport mode can be used only in host-to-host IPsec VPN. Tunnel mode IPsec encapsulates the original IP packets into an IPsec packet with new IP headers. Tunnel mode effectively hides the original IP packets from view. Tunnel mode IPsec must be used in host-to-gateway IPsec, the common remote-access scenario. There are two IPsec protocols with which we're concerned: AH (Authentication Header) and ESP (Encapsulation Security Payload). AH, rarely deployed, verifies that fields that are required to prove the identity of the sending device, such as source and destination IP addresses, have not been altered in route. If the packet fails the verification, it is dropped. Thus, AH provides data integrity and origin authentication. We'll see later that AH is broken by all forms of NAT. ESP, on the other hand, encrypts IP data. When used in tunnel mode, it provides data integrity and origin authentication services as well. IPsec VPNs exchange information through logical connections called SAs (Security Associations). An SA is simply a definition of the protocols, algorithms and key validity time period used by endpoints. Each IPsec VPN has two SAs -- one in each direction. SAs are identified by three identifiers. One of them is a unique number called the SPI (Security Parameter Index), which is assigned by destination to each SA. The other two identifiers are the destination address and the protocol. The uniqueness of the SPI is guaranteed because a destination endpoint may have a manually configured SPI defined that the originator would not know about. Finally, the IKE (Internet Key Exchange) is a separate SA that is used to negotiate the other IPsec protocol parameters. IKE uses UDP Port 500 and as such can be passed through a NAT without any special handling, like any other TCP/UDP protocol. IKE is active during the entire lifetime of the lower-level SA.
PAGE: 1 I 2 I NEXT PAGE

Looking for a new job?
Open | Close

Post Your Resume

Employers Area

News & Features

Blogs & Forums

Career Resources

Browse By:
State | City

SPONSOR

RECENT JOB POSTINGS

Featured Jobs:

Boeing seeking Software Engineer 5 in Anaheim, CA

KForce seeking Inside Sales Associate in San Diego, CA

Amalgamated Bank seeking Chief Information Officer in New York, NY

Apollo College seeking Medical Billing and Coding Instructors in Albuquerque, NM

Allstate seeking Exlusive Agent in Las Vegas, NV

For more great jobs, career-related news, features and services, please visit our Career Center.

CAREER NEWS

IT Jobs Stabilize; Tech Unemployment Rate 5.5%

The tumbling of IT jobs stopped in the second quarter, as the IT sector added about 44,000 jobs.

Oracle Execs See First Hints Of IT Spending Turnaround

It's just a glimmer, but Oracle is starting to see a bit of light at the end of the recession tunnel.

More articles from our career center


Today's Most Popular Stories • Rolling Review: SOA Appliances • Making The Move To Multicore • Rolling Review: Web 2.0 Tools Demand A Cautious Approach • Rolling Review: Windows Server 2008 Server Core
Today's News Analysis • Amazon EC2 Entices Innovative Uses With Persistent Storage • AIG Private Client Group Diagnoses SOA Glitches With BMC Solution • CA Emphasizes Holistic Enterprise IT Management • Apple Previews Its Next Mac OS 'Snow Leopard'
REPORTS Analyize In-Line NAC strategies and products.	ANALYTICS Plan and design your enterprise blade server deployments

2009 IT Salary Survey: Meager Raises, Solid Prospects

Though raises are notably smaller than a year ago, and job security�s shrinking, IT careers are looking safer than many others in this economic downturn. Get all the findings in InformationWeek's 2009 IT Salary Survey. Available FREE for a limited time.

ROLLING RIGHT ALONG

Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.

Network Computing Reports

Emerging Enterprise Podcast Series: Secrets to Success

TechSearch

Microsite of the Week

Powerful Information at Your Fingertips

Techweb

Informationweek Business Technology Network

TechWeb Events Network

Light Reading Communications Network

Financial Technology Network

Advanced Trading

Bank Systems and Technology

Insurance and Technology

Wall Street and Technology

Accelerating Wallstreet

BST Summit

Buyside Trading Summit

Microsoft Technology Network

MSDN

TechNet

Total IT Pro

Total Dev Pro

NET Total Dev Pro Community

SQL Total Dev Pro Community

App Infrastructure | Messaging & Collaboration | Network & Systems Mgmt | Network Infrastructure | Security | Storage & Servers | Wireless | Enterprise Apps

About Us | Contact Us | Site Map | Technology Marketing Solutions | Advertising Contacts | Briefing Centers

Copyright © 2009 United Business Media LLC | Privacy Statement | Terms of Service