Title: Implementation of IPSECNAT compatibility with UDP encapsulation of IPSEC packets
1Implementation of IPSEC-NAT compatibility with
UDP encapsulation of IPSEC packets
- By
- Divya Mukundan
-
- K.P. Muthuvelan
2IPSEC - Introduction
- IPsec is a security architecture designed for
protection of the IP layer packets. - IPsec consists of two traffic security protocols
- the authentication header (AH) and the
encapsulating security payload (ESP). - The IP authentication header (AH) mainly provides
connectionless integrity, data origin
authentication. - The encapsulating security payload (ESP) protocol
may provide confidentiality (encryption), and
limited traffic flow confidentiality.
3Network Address Translation
- provides a mechanism for networks with private
addresses to connect to external networks with
globally registered addresses. - Basic NAT
- NAPT
4Network Address Translation
- Basic NAT
- 192.168.1.2 ? w.x.y.z
- NAPT
- 192.168.1.2, Source Port A ?w.x.y.z, Source Port B
5IPSEC- NAT Compatibility Issues
6IPSEC- NAT Incompatibility
- AH header incorporates the IP source and
destination address for integrity check. - TCP/UDP checksums.
- IKE-NAT Incompatibilities.
7UDP Encapsulation of IPsec Packets -ESP
UDP-encapsulated ESP Header Format
8UDP Encapsulation of IPsec Packets -AH
UDP-encapsulated AH Header Format
9Transport Mode Encapsulation
ESP Transport mode Encapsulation
AH Transport mode Encapsulation
10Tunnel Mode Encapsulation
ESP Tunnel Mode Encapsulation
AH Tunnel Mode Encapsulation
11Implementation
- FreeS/WAN 1.91
- Linux kernel 2.4.5
- UDP Encapsulation of outgoing IPsec packets.
- UDP de-encapsulation of incoming IPsec packets.
- NAT Keepalives.
12Implementation Outgoing packets
- ipsec_tunnel_start_xmit()
- Add UDP header, Non-IKE marker, Non-ESP marker,
AH-Envelop.
13Implementation Outgoing packets
14Implementation Incoming packets
- udp_rcv()
- Remove UDP header, Non-IKE marker, Non-ESP
marker, AH-envelop. - skb_trim()
- netif_rx()
- No change to ipsec_rcv().
15Implementation Incoming packets
Packet Flow - After
Packet Flow - Before
16Implementation NAT Keepalive
- Implemented in IKE.
- Send UDP packet with payload FF every timeout
seconds. - Do this for every IKE peer.
17Testing Test Setup
18Testing Test Plan
- Testing basic IPsec changes.
- Testing outgoing IPsec packet formats.
- Testing IPsec packet reception processing.
- Testing NAT keepalives.
- Testing IPsec traffic in the presence of NAT.
19Conclusions
- Further testing.
- Further enhancements.
- Detecting support of Nat-Traversal.
- Detecting presence of NAT.
- Negotiation of the NAT-Traversal encapsulation.
20References
- Dixon. W , "IPSec over NAT Justification for UDP
Encapsulation", June 2001. - Kivinen. T, "Negotiation of NAT-Traversal in the
IKE", June 2001. - Huttunen. A, "UDP Encapsulation of IPsec
Packets", June 2001. - Bernard Aboba, "IPsec-NAT Compatibility
Requirements", June 2001. - Kent. S, "Security Architecture for the Internet
Protocol", November 1998. - Kent. S, "IP Encapsulating Security Payload
(ESP)", November 1998. - Kent. S, "IP Authentication Header", November
1998. - Glenn Herrin, "Linux IP Networking", A Guide to
the Implementation and Modification of the Linux
Protocol Stack, May 2000.