Mobile IP Traversal Of NAT Devices - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Mobile IP Traversal Of NAT Devices

Description:

Mobile IP relies on sending traffic from the home network to the mobile node or ... The mobile users connect to the Home Agent at the office to access the ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 22
Provided by: UNT1
Category:

less

Transcript and Presenter's Notes

Title: Mobile IP Traversal Of NAT Devices


1
Mobile IP Traversal Of NAT Devices
  • By,
  • Vivek Nemarugommula

2
Problem Definition
  • Mobile IP relies on sending traffic from the home
    network to the mobile node or foreign agent
    through IP-in-IP tunnelling. IP nodes which
    communicate from behind a NAT are reachable only
    through the NAT's public address(es).
  • IP-in-IP tunnelling does not generally contain
    enough information to permit unique translation
    from the common public address(es) to the
    particular care-of address of a mobile node or
    foreign agent which resides behind the NAT in
    particular there are no TCP/UDP port numbers
    available for a NAT to work with.

3
Problem Illustrated
4
Problem Illustrated
5
Solutions
  • The draft by H. Levkowetz (ipUnplugged), S.
    Vaarala (Netseal) released in April,2002,
    presents extensions to the Mobile IP protocol and
    a tunnelling method which permits mobile nodes
    using Mobile IP to operate in private address
    networks, which are separated from the public
    internet by NAT devices.
  • AssumptionsThe primary assumption in this
    document is that the network allows communication
    between an UDP port chosen by the mobile node and
    the home agent UDP port 434

6
Co-located care of address
  • The mobile users connect to the Home Agent at the
    office to access the corresponding node (CN) in
    the home network.
  • The mobile node will request a temporary care-of
    address belonging to the local router R from a
    DHCP server in the visited network.
  • The Home Agent will discover that a NAPT
    traversal has occurred by comparing the source IP
    address 204.68.9.2 and the care-of address
    10.0.0.2.
  • The Mobile IP tunnel is then modified to include
    a UDP header, in order to facilitate traversal of
    the NAPT with payload datagrams between the
    mobile node and the correspondent node
    (19.0.4.1).
  • The source IP address in the header of the
    registration request as received by the Home
    Agent, i.e. 204.68.9.2, will be used as source IP
    address for the outer IP header in the Mobile IP
    tunnel seen from the Home Agent instead of the
    care-of address, i.e. 10.0.0.2

7
(No Transcript)
8
Mobile IP Registration
  • The mobile node (or to be more correct the mobile
    node virtual interface adapter MN-VIA) sends a
    Mobile IP registration request towards the Home
    Agent.
  • The registration request is sent with the UDP
    destination port equal to 434 and the UDP source
    port set to any chosen port number.
  • In order to distinguish between datagrams sent
    from different nodes in the visited network, the
    NAPT will also keep a state table with the
    care-of address and the UDP source port number on
    the inside and a newly allocated UDP source port
    number on the outside of the firewall.
  • The latter UDP source port number is selected so
    that it is unique among the sessions traversing
    the NAPT at any point in time.

9
Registration (continued)
  • The Home Agent will discover the discrepancy
    between source IP address 204.68.9.2 and care-of
    address 10.0.0.2 inside the registration request
    message.
  • In order to protect against spoofing, the Home
    Agent will verify the authenticator as well as
    the time stamp of the registration reply.
  • If acceptable, the Home Agent will select a UDP
    port number to be used for the Mobile IP data
    path and communicate it to the mobile node as
    part of the registration reply message.

10
Registration Procedure
11
Mobile IP Payload Transfer
  • There are two main differences in the way payload
    transfer is performed when a NAPT is present
  • First of all the payload datagrams to be sent
    through the Mobile IP tunnel are required to have
    a UDP header in between the two IP headers.
  • The second item is that the Home Agent is
    applying the source IP header of the registration
    request, i.e. the IP address of the NAPT
    204.68.9.2, as the destination IP address also
    for datagrams destined for the mobile node.

12
MIP Traffic Flow
13
(No Transcript)
14
IPSec NAT Transparency
  • The IPSec NAT Transparency feature introduces
    support for IPSec traffic to travel through NAT
    or PAT points in the network by encapsulating
    IPSec packets in a User Datagram Protocol (UDP)
    wrapper, which allows the packets to travel
    across NAT devices.
  • IKE Phase 1 Negotiation NAT Detection
  • IKE Phase 2 Negotiation NAT Traversal Decision
  • UDP Encapsulation of IPSec Packets for NAT
    Traversal

15
IKE Phase 1 Negotiation NAT Detection
  • During Internet Key Exchange (IKE) phase 1
    negotiation, two types of NAT detection occur
    before IKE Quick Mode beginsNAT support and NAT
    existence along the network path.
  • To detect NAT support, you should exchange the
    vendor identification (ID) string with the remote
    peer.
  • Detecting whether NAT exists along the network
    path allows you to find any NAT device between
    two peers and the exact location of NAT.
  • To detect whether a NAT device exists along the
    network path, the peers should send a payload
    with hashes of the IP address and port of both
    the source and destination address from each end.

16
IKE Phase 2 Negotiation NAT Traversal Decision
  • IKE phase 2 decides whether or not the peers at
    both ends will use NAT traversal. Quick Mode (QM)
    security association (SA) payload in QM1 and QM2
    is used to for NAT traversal negotiation.
  • Because the NAT device changes the IP address and
    port number, incompatablities between NAT and
    IPSec can be created. Thus, exchanging the
    original source address bypasses any
    incompatablities.

17
UDP Encapsulation of IPSec Packets for NAT
Traversal
  • In addition to allowing IPSec packets to traverse
    across NAT devices, UDP encapsulation also
    addresses many incompatability issues between
    IPSec and NAT and PAT.
  • Incompatability Between Fixed IKE Destination
    Ports and PATResolved
  • PAT changes the port address in the new UDP
    header for translation and leaves the original
    payload unchanged.

18
Standard IPSec Tunnel Through a NAT/PAT Point (No
UDP Encapsulation)
19
IPSec Packet with UDP Encapsulation
20
Conclusions
  • The ordinary Mobile IP security mechanisms are
    also used with the NAT traversal mechanism
    described in this document.
  • Relying on unauthenticated address information
    when forming or updating a mobility binding leads
    to several redirection attack vulnerabilities.
  • In providing a mobile node with a mechanism for
    NAT traversal of Mobile IP traffic, we expand the
    address space where a mobile node may function
    and acquire care-of addresses.
  • There are many compatibility issues IPsec ESP and
    NAT which hav been resolved.

21
References
  • www.ipunplugged.com/pdf/NAPTTraversalWithMobileIP.
    pdf
  • http//rfc3519.x42.com/
  • http//www.cisco.com/univercd/cc/td/doc/product/so
    ftware/ios122/122newft/122t/122t13/ftipsnat.htmwp
    1027129
Write a Comment
User Comments (0)
About PowerShow.com