Implementation of IPSECNAT compatibility with UDP encapsulation of IPSEC packets

1
Implementation of IPSEC-NAT compatibility with
UDP encapsulation of IPSEC packets

• By
• Divya Mukundan
• K.P. Muthuvelan

2
IPSEC - Introduction

• IPsec is a security architecture designed for
  protection of the IP layer packets.
• IPsec consists of two traffic security protocols
  - the authentication header (AH) and the
  encapsulating security payload (ESP).
• The IP authentication header (AH) mainly provides
  connectionless integrity, data origin
  authentication.
• The encapsulating security payload (ESP) protocol
  may provide confidentiality (encryption), and
  limited traffic flow confidentiality.

3
Network Address Translation

• provides a mechanism for networks with private
  addresses to connect to external networks with
  globally registered addresses.
• Basic NAT
• NAPT

4
Network Address Translation

• Basic NAT
• 192.168.1.2 ? w.x.y.z
• NAPT
• 192.168.1.2, Source Port A ?w.x.y.z, Source Port B

5
IPSEC- NAT Compatibility Issues
6
IPSEC- NAT Incompatibility

• AH header incorporates the IP source and
  destination address for integrity check.
• TCP/UDP checksums.
• IKE-NAT Incompatibilities.

7
UDP Encapsulation of IPsec Packets -ESP
UDP-encapsulated ESP Header Format
8
UDP Encapsulation of IPsec Packets -AH
UDP-encapsulated AH Header Format
9
Transport Mode Encapsulation
ESP Transport mode Encapsulation
AH Transport mode Encapsulation
10
Tunnel Mode Encapsulation
ESP Tunnel Mode Encapsulation
AH Tunnel Mode Encapsulation
11
Implementation

• FreeS/WAN 1.91
• Linux kernel 2.4.5
• UDP Encapsulation of outgoing IPsec packets.
• UDP de-encapsulation of incoming IPsec packets.
• NAT Keepalives.

12
Implementation Outgoing packets

• ipsec_tunnel_start_xmit()
• Add UDP header, Non-IKE marker, Non-ESP marker,
  AH-Envelop.

13
Implementation Outgoing packets
14
Implementation Incoming packets

• udp_rcv()
• Remove UDP header, Non-IKE marker, Non-ESP
  marker, AH-envelop.
• skb_trim()
• netif_rx()
• No change to ipsec_rcv().

15
Implementation Incoming packets
Packet Flow - After
Packet Flow - Before
16
Implementation NAT Keepalive

• Implemented in IKE.
• Send UDP packet with payload FF every timeout
  seconds.
• Do this for every IKE peer.

17
Testing Test Setup
18
Testing Test Plan

• Testing basic IPsec changes.
• Testing outgoing IPsec packet formats.
• Testing IPsec packet reception processing.
• Testing NAT keepalives.
• Testing IPsec traffic in the presence of NAT.

19
Conclusions

• Further testing.
• Further enhancements.
• Detecting support of Nat-Traversal.
• Detecting presence of NAT.
• Negotiation of the NAT-Traversal encapsulation.

20
References

• Dixon. W , "IPSec over NAT Justification for UDP
  Encapsulation", June 2001.
• Kivinen. T, "Negotiation of NAT-Traversal in the
  IKE", June 2001.
• Huttunen. A, "UDP Encapsulation of IPsec
  Packets", June 2001.
• Bernard Aboba, "IPsec-NAT Compatibility
  Requirements", June 2001.
• Kent. S, "Security Architecture for the Internet
  Protocol", November 1998.
• Kent. S, "IP Encapsulating Security Payload
  (ESP)", November 1998.
• Kent. S, "IP Authentication Header", November
  1998.
• Glenn Herrin, "Linux IP Networking", A Guide to
  the Implementation and Modification of the Linux
  Protocol Stack, May 2000.