mobile ip traversal of nat devices

21
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula

Upload: aulani

Post on 15-Jan-2016

43 views

Category:

Documents


1 download

DESCRIPTION

Mobile IP Traversal Of NAT Devices. By, Vivek Nemarugommula. Problem Definition. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Mobile IP Traversal Of NAT Devices

Mobile IP Traversal Of NAT Devices

By,

Vivek Nemarugommula

Page 2: Mobile IP Traversal Of NAT Devices

Problem Definition Mobile IP relies on sending traffic from the home network

to the mobile node or foreign agent through IP-in-IP tunnelling. IP nodes which communicate from behind a NAT are reachable only through the NAT's public address(es).

IP-in-IP tunnelling does not generally contain enough information to permit unique translation from the common public address(es) to the particular care-of address of a mobile node or foreign agent which resides behind the NAT; in particular there are no TCP/UDP port numbers available for a NAT to work with.

Page 3: Mobile IP Traversal Of NAT Devices

Problem Illustrated

Page 4: Mobile IP Traversal Of NAT Devices

Problem Illustrated

Page 5: Mobile IP Traversal Of NAT Devices

Solutions The draft by H. Levkowetz (ipUnplugged), S. Vaarala

(Netseal) released in April,2002, presents extensions to the Mobile IP protocol and a tunnelling method which permits mobile nodes using Mobile IP to operate in private address networks, which are separated from the public internet by NAT devices.

Assumptions:The primary assumption in this document is that the network allows communication between an UDP port chosen by the mobile node and

the home agent UDP port 434

Page 6: Mobile IP Traversal Of NAT Devices

Co-located care of address The mobile users connect to the Home Agent at the

office to access the corresponding node (CN) in the home network.

The mobile node will request a temporary care-of address belonging to the local router R from a DHCP server in the visited network.

The Home Agent will discover that a NAPT traversal has occurred by comparing the source IP address 204.68.9.2 and the care-of address 10.0.0.2.

The Mobile IP tunnel is then modified to include a UDP header, in order to facilitate traversal of the NAPT with payload datagrams between the mobile node and the correspondent node (19.0.4.1).

The source IP address in the header of the registration request as received by the Home Agent, i.e. 204.68.9.2, will be used as source IP address for the outer IP header in the Mobile IP tunnel seen from the Home Agent instead of the care-of address, i.e. 10.0.0.2

Page 7: Mobile IP Traversal Of NAT Devices
Page 8: Mobile IP Traversal Of NAT Devices

Mobile IP Registration The mobile node (or to be more correct the mobile node

virtual interface adapter MN-VIA) sends a Mobile IP registration request towards the Home Agent.

The registration request is sent with the UDP destination port equal to 434 and the UDP source port set to any chosen port number.

In order to distinguish between datagrams sent from different nodes in the visited network, the NAPT will also keep a state table with the care-of address and the UDP source port number on the inside and a newly allocated UDP source port number on the outside of the firewall.

The latter UDP source port number is selected so that it is unique among the sessions traversing the NAPT at any point in time.

Page 9: Mobile IP Traversal Of NAT Devices

Registration (continued) The Home Agent will discover the discrepancy between

source IP address 204.68.9.2 and care-of address 10.0.0.2 inside the registration request message.

In order to protect against spoofing, the Home Agent will verify the authenticator as well as the time stamp of the registration reply.

If acceptable, the Home Agent will select a UDP port number to be used for the Mobile IP data path and communicate it to the mobile node as part of the registration reply message.

Page 10: Mobile IP Traversal Of NAT Devices

Registration Procedure

Page 11: Mobile IP Traversal Of NAT Devices

Mobile IP Payload Transfer There are two main differences in the way payload

transfer is performed when a NAPT is present:

1. First of all the payload datagrams to be sent through the Mobile IP tunnel are required to have a UDP header in between the two IP headers.

2. The second item is that the Home Agent is applying the source IP header of the registration request, i.e. the IP address of the NAPT 204.68.9.2, as the destination IP address also for datagrams destined for the mobile node.

Page 12: Mobile IP Traversal Of NAT Devices

MIP Traffic Flow

Page 13: Mobile IP Traversal Of NAT Devices
Page 14: Mobile IP Traversal Of NAT Devices

IPSec NAT Transparency The IPSec NAT Transparency feature introduces support

for IPSec traffic to travel through NAT or PAT points in the network by encapsulating IPSec packets in a User Datagram Protocol (UDP) wrapper, which allows the packets to travel across NAT devices.

IKE Phase 1 Negotiation: NAT Detection IKE Phase 2 Negotiation: NAT Traversal Decisio

n

UDP Encapsulation of IPSec Packets for NAT Traversal

Page 15: Mobile IP Traversal Of NAT Devices

IKE Phase 1 Negotiation: NAT Detection During Internet Key Exchange (IKE) phase 1 negotiation,

two types of NAT detection occur before IKE Quick Mode begins—NAT support and NAT existence along the network path.

To detect NAT support, you should exchange the vendor identification (ID) string with the remote peer.

Detecting whether NAT exists along the network path allows you to find any NAT device between two peers and the exact location of NAT.

To detect whether a NAT device exists along the network path, the peers should send a payload with hashes of the IP address and port of both the source and destination address from each end.

Page 16: Mobile IP Traversal Of NAT Devices

IKE Phase 2 Negotiation: NAT Traversal Decision IKE phase 2 decides whether or not the peers at both

ends will use NAT traversal. Quick Mode (QM) security association (SA) payload in QM1 and QM2 is used to for NAT traversal negotiation.

Because the NAT device changes the IP address and port number, incompatablities between NAT and IPSec can be created. Thus, exchanging the original source address bypasses any incompatablities.

Page 17: Mobile IP Traversal Of NAT Devices

UDP Encapsulation of IPSec Packets for NAT Traversal In addition to allowing IPSec packets to traverse across

NAT devices, UDP encapsulation also addresses many incompatability issues between IPSec and NAT and PAT.

Incompatability Between Fixed IKE Destination Ports and PAT—Resolved

PAT changes the port address in the new UDP header for translation and leaves the original payload unchanged.

Page 18: Mobile IP Traversal Of NAT Devices

Standard IPSec Tunnel Through a NAT/PAT Point (No UDP

Encapsulation)

Page 19: Mobile IP Traversal Of NAT Devices

IPSec Packet with UDP Encapsulation

Page 20: Mobile IP Traversal Of NAT Devices

Conclusions The ordinary Mobile IP security mechanisms are also

used with the NAT traversal mechanism described in this document.

Relying on unauthenticated address information when forming or updating a mobility binding leads to several redirection attack vulnerabilities.

In providing a mobile node with a mechanism for NAT traversal of Mobile IP traffic, we expand the address space where a mobile node may function and acquire care-of addresses.

There are many compatibility issues IPsec ESP and NAT which hav been resolved.

Page 21: Mobile IP Traversal Of NAT Devices

References

www.ipunplugged.com/pdf/NAPTTraversalWithMobileIP.pdf

http://rfc3519.x42.com/ http://www.cisco.com/univercd/cc/t

d/doc/product/software/ios122/122newft/122t/122t13/ftipsnat.htm#wp1027129