Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

  W O R K S H O P

Why Can't IPsec and NAT Just Get Along?

November 27, 2000
By Mike Fratto

Both IPsec and NAT have been with us for some time, but making them play together has been hard work. To IP gurus, NAT (Network Address Translation) is an ugly kludge because it changes the way IP works at a fundamental level. To you, the network manager responsible for handling network-addressing issues, NAT is often your friend, regardless of whether you're at a large ISP or enterprise, or at an SME (small-to-medium enterprise). Why? Because NAT lets you hide networks and hosts in a variety of ways. Likewise, IPsec (IP security) is your friend because you can securely connect remote offices and users over the Internet.

However, the architecture of the IPsec protocol suite and the dearth of IPsec-aware NAT devices have created problems in getting the two to work together seamlessly. The simplest solution is to have a broadband router that performs NAT and VPN (virtual private networking) on the same device, so you don't have to muck around making IPsec and NAT play nice. But because you don't always have that luxury, you should know about some of the ways vendors are addressing the IPsec-NAT issue and its implications. (For more information on NAT, see "Network Address Translation: Hiding in Plain Sight"; for more information on IPsec, see "Identifying a VPN for Your Company".)

NAT Forms

There are two primary NAT implementations. Dynamic address NAT assigns a temporary external IP address to a private IP address, translating only the IP address. Dynamic address NAT is used mostly in dial-up or in on-demand connections in which remote connections go up and down frequently (see "Dynamic Address NAT," at right). While the remote user is connected, he or she is assigned a single IP address; once that user disconnects, the IP address is released to be reused at a later time.

NAPT (Network Address Port Translation) is the form of translation with which most people are familiar. NAPT is used almost exclusively by access devices designed to hide small-to-medium-sized networks behind a single public IP address. NAPT works by translating the source IP address and the source port number on the public interface (see "NAPT" graphic below).

NAPT is especially useful when cable or DSL access is deployed, because many service providers charge extra for multiple computers to be connected to the Internet (though how many addresses you get and for how much is locale-specific).

IPsec Modes

Next, a general background on IPsec: There are two modes of IPsec. Transport mode simply applies IPsec protocols to an IP packet and leaves the original IP headers visible. Transport mode can be used only in host-to-host IPsec VPN. Tunnel mode IPsec encapsulates the original IP packets into an IPsec packet with new IP headers. Tunnel mode effectively hides the original IP packets from view. Tunnel mode IPsec must be used in host-to-gateway IPsec, the common remote-access scenario.

There are two IPsec protocols with which we're concerned: AH (Authentication Header) and ESP (Encapsulation Security Payload). AH, rarely deployed, verifies that fields that are required to prove the identity of the sending device, such as source and destination IP addresses, have not been altered in route. If the packet fails the verification, it is dropped. Thus, AH provides data integrity and origin authentication. We'll see later that AH is broken by all forms of NAT. ESP, on the other hand, encrypts IP data. When used in tunnel mode, it provides data integrity and origin authentication services as well.

IPsec VPNs exchange information through logical connections called SAs (Security Associations). An SA is simply a definition of the protocols, algorithms and key validity time period used by endpoints. Each IPsec VPN has two SAs -- one in each direction. SAs are identified by three identifiers. One of them is a unique number called the SPI (Security Parameter Index), which is assigned by destination to each SA. The other two identifiers are the destination address and the protocol. The uniqueness of the SPI is guaranteed because a destination endpoint may have a manually configured SPI defined that the originator would not know about.

Finally, the IKE (Internet Key Exchange) is a separate SA that is used to negotiate the other IPsec protocol parameters. IKE uses UDP Port 500 and as such can be passed through a NAT without any special handling, like any other TCP/UDP protocol. IKE is active during the entire lifetime of the lower-level SA.

Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013

TechWeb Careers