|W O R K S H O P|
Why Can't IPsec and NAT Just Get Along?
November 27, 2000
By Mike Fratto
Both IPsec and NAT have been with us for some time, but making them play together has been hard work. To IP gurus, NAT (Network Address Translation) is an ugly kludge because it changes the way IP works at a fundamental level. To you, the network manager responsible for handling network-addressing issues, NAT is often your friend, regardless of whether you're at a large ISP or enterprise, or at an SME (small-to-medium enterprise). Why? Because NAT lets you hide networks and hosts in a variety of ways. Likewise, IPsec (IP security) is your friend because you can securely connect remote offices and users over the Internet.
However, the architecture of the IPsec protocol suite and the dearth of IPsec-aware NAT devices have created problems in getting the two to work together seamlessly. The simplest solution is to have a broadband router that performs NAT and VPN (virtual private networking) on the same device, so you don't have to muck around making IPsec and NAT play nice. But because you don't always have that luxury, you should know about some of the ways vendors are addressing the IPsec-NAT issue and its implications. (For more information on NAT, see "Network Address Translation: Hiding in Plain Sight"; for more information on IPsec, see "Identifying a VPN for Your Company".)
There are two primary NAT implementations. Dynamic address NAT assigns a temporary external IP address to a private IP address, translating only the IP address. Dynamic address NAT is used mostly in dial-up or in on-demand connections in which remote connections go up and down frequently (see "Dynamic Address NAT," at right). While the remote user is connected, he or she is assigned a single IP address; once that user disconnects, the IP address is released to be reused at a later time.
NAPT (Network Address Port Translation) is the form of translation with which most people are familiar. NAPT is used almost exclusively by access devices designed to hide small-to-medium-sized networks behind a single public IP address. NAPT works by translating the source IP address and the source port number on the public interface (see "NAPT" graphic below).
NAPT is especially useful when cable or DSL access is deployed, because many service providers charge extra for multiple computers to be connected to the Internet (though how many addresses you get and for how much is locale-specific).
Next, a general background on IPsec: There are two modes of IPsec. Transport mode simply applies IPsec protocols to an IP packet and leaves the original IP headers visible. Transport mode can be used only in host-to-host IPsec VPN. Tunnel mode IPsec encapsulates the original IP packets into an IPsec packet with new IP headers. Tunnel mode effectively hides the original IP packets from view. Tunnel mode IPsec must be used in host-to-gateway IPsec, the common remote-access scenario.
There are two IPsec protocols with which we're concerned: AH (Authentication Header) and ESP (Encapsulation Security Payload). AH, rarely deployed, verifies that fields that are required to prove the identity of the sending device, such as source and destination IP addresses, have not been altered in route. If the packet fails the verification, it is dropped. Thus, AH provides data integrity and origin authentication. We'll see later that AH is broken by all forms of NAT. ESP, on the other hand, encrypts IP data. When used in tunnel mode, it provides data integrity and origin authentication services as well.
IPsec VPNs exchange information through logical connections called SAs (Security Associations). An SA is simply a definition of the protocols, algorithms and key validity time period used by endpoints. Each IPsec VPN has two SAs -- one in each direction. SAs are identified by three identifiers. One of them is a unique number called the SPI (Security Parameter Index), which is assigned by destination to each SA. The other two identifiers are the destination address and the protocol. The uniqueness of the SPI is guaranteed because a destination endpoint may have a manually configured SPI defined that the originator would not know about.
Finally, the IKE (Internet Key Exchange) is a separate SA that is used to negotiate the other IPsec protocol parameters. IKE uses UDP Port 500 and as such can be passed through a NAT without any special handling, like any other TCP/UDP protocol. IKE is active during the entire lifetime of the lower-level SA.
|PAGE: 1 I 2 I NEXT PAGE|