Using MOBIKE over NATs - PowerPoint PPT Presentation

About This Presentation
Title:

Using MOBIKE over NATs

Description:

IKE sends 'address' update packet with the public address in the payload. IETF 60 ... How to discover the public address of the NAT ? Possible options ... – PowerPoint PPT presentation

Number of Views:15
Avg rating:3.0/5.0
Slides: 9
Provided by: ietf
Learn more at: https://www.ietf.org
Category:
Tags: mobike | nats | option | over | public | using

less

Transcript and Presenter's Notes

Title: Using MOBIKE over NATs


1
Using MOBIKE over NATs
  • draft-mohanp-mobike-nat-00.txt
  • Mohan Parthasarathy
  • NOKIA

2
Agenda
  • Problem statement.
  • Solution.
  • Limitations.
  • Alternate Solution.

3
Problem Statement
  • MOBIKE provides a mechanism to update the address
    of IKE and IPsec SA without re-keying.
  • Peer is updated by sending an address update
    packet with the new address.
  • Peer updates the address after successful
    completion of RR on the new address.
  • What happens when the node is behind a NAT ?
  • The address in the address update packet is the
    private address. RR will fail.

4
Solution
  • Assume a node already has an IPsec SA with a
    remote peer and moves behind a NAT.
  • Detects movement, invokes DHCP to obtain a new
    address.
  • Along with the new address, it also discovers the
    public address of the NAT (described later).
  • IKE learns both the new address and the public
    address of the NAT.
  • IKE sends address update packet with the public
    address in the payload.

5
Solution (Contd)
  • Peer verifies whether the Source address on the
    IP header and the address in the payload matches
    or not.
  • If the address does not match, it assumes that
    the attacker modified the packet and drops the
    packet without updating the address.
  • If the address matches, the peer does return
    routability to verify the address and then update
    the address.
  • Both ends start using UDP encapsulation on port
    4500.

6
Solution (Contd..)
  • How to discover the public address of the NAT ?
  • Possible options
  • A new DHCP option (described in draft)
  • STUN (another possible solution)

7
Limitations
  • Works only across a NAPT device (or multiple of
    them as Jari Arkko pointed out).
  • Does not work across a NAT device as there is no
    easy way to learn the bindings using the
    mechanism defined in the draft.
  • Only the address binding is sent and the port
    number is not sent. It means the attacker can
    bomb a different host behind the NAT though not
    easy.
  • Security of the solution depends on learning the
    public address securely.

8
Possible extensions
  • The basic idea is for the node moving behind NAT
    to learn that it moved behind NAT and also learn
    the NAT bindings.
  • STUN (rfc 3489) already used by other
    applications for learning the NAT bindings.
  • IKE can use STUN directly or indirectly to learn
    the information.
  • STUN has built in mechanism to secure the NAT
    binding information.
  • This can work across NAPT and NAT including
    multiple of them.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Using MOBIKE over NATs" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!