NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

Slides:

Advertisements

Similar presentations

Internet Protocol Security (IP Sec)

Advertisements

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Internet Security CSCE 813 IPsec

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Security at the Network Layer: IPSec

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

1 IP Security (IPSec) Thomas Lee Chief Technologist –QA

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

Internet Protocol Security (IPSec)

K. Salah1 Security Protocols in the Internet IPSec.

IPsec Performance Testing Terminology Document Michele Bustos, Ixia Tim VanHerck, Cisco Merike Kaeo, Merike Inc.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.

Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)

/IPsecurity.ppt 1 - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.

Karlstad University IP security Ge Zhang

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.

IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.

Attacking IPsec VPNs Charles D George Jr. Overview Internet Protocol Security (IPSec) is a suite of protocols for authenticating and encrypting packets.

1 Chapter 6 IP Security. 2 Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Network Layer Security Network Systems Security Mort Anvari.

IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.

K. Salah1 Security Protocols in the Internet IPSec.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.

Securing Access to Data Using IPsec Josh Jones Cosc352.

8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,

@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.

11 SECURING NETWORK TRAFFIC WITH IPSEC Chapter 6.

An Analysis on NAT Security

Chapter 18 IP Security  IP Security (IPSec)

IT443 – Network Security Administration Instructor: Bo Sheng

IPSec IPSec is communication security provided at the network layer.

Presentation transcript:

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT

PRESENTATION Introduction NAT IPsec Problems NAT-T NAT-T solution (s) Conclusions

INTRODUCTION NAT: NAT is router function that provides the network address translation between private and public IPv4 addresses. IPv4 address space is limited Implementations: Static and dynamic  NAT changes the source IP address of the packet.

INTRODUCTION IPsec: IPsec is an Internet standard and a security framework for securing the IP layer traffic. IPsec: Encapsulated Security Payload (ESP) Authentication Header (AH) Modes: Transport, Tunneling Key functionality: Confidentiality of data Authenticity of the sender Integrity of data Replay protection  IPsec is designed to prevent behavior that NAT is performing for packets.

INTRODUCTION Tunnel mode: IP header and the payload is encrypted Protection for the whole packet Encapsulated with AH/ESP header and additional IP header IP addresses in outer IP header are the tunnel end points. Transport mode Payload is encrypted Protection of the payload Located between IP header and transport header (TCP/UDP) Default mode for IPsec Used for end-to-end communications

INTRODUCTION IKE: Internet Key Exchange for IPsec 1 st phase: SA and key exchange protocol (ISAKMP) establishes the a secure authenticated channel for further negotiation traffic, and defines the SA used during negotiations. 2 nd phase: SA is negotiated used by IPsec. Normal IKE traffic is performed over UDP to port 500. Non-ESP-marker field that allows a recipient to distinguish between UDP encapsulated ESP PDU and an IKE message. IKE includes new payloads Vendor ID: hash value (indicates the capability for NAT-T) NAT-OA (Original Address)

Problems: IPsec over NAT 1.AH incompatible with NAT (the whole packet is encrypted, HMAC). 2.NATs cannot update upper-layer checksums 3.IKE UDP port number cannot be changed 4.NATs cannot multiplex IPsec data streams 5.NAT timeout of IKE UDP port mapping can cause problems 6.Identification IKE payload contains IKE embedded IP addresses.

NAT-T: UDP encapsulation of IPsec ESP packets ESP: Only payload is encrypted  NAT-T adds a UDP header that encapsulates the ESP header. Functionality: (during initial IPSec negotiation)  If peers has NAT-T capability  NAT router in the middle of the path between the peers  Otherwise normal IPsec operations

ENCAPSULATION

NAT-T SOLUTIONS 1)A receiving peer gets all required information for verification process of upper- layer checksum (IKE payload: NAT-OA payload). 2)A receiving peer has the original IP address where it can verify the contents of the identification IKE payload during quick mode negotiation. 3)IPsec peers can accept IKE messages from different source port than 500 -> IKE UDP port 4500 is used. 4)NAT router uses the UDP ports for multiplexing of the IPsec data streams. 5)NAT-T introduces keep alive messages.

NAT-T PROBLEMS Tunnel mode conflict  Remote peers may negotiate entries that overlap when tunnel mode is used. Transport mode conflict  May occur when two peers behind NAT routers are in communication with same server. Server may get confused which SA is belonging to which client.

CONCLUSIONS AH incompatible, ESP can be used. NAT-T solution uses ESP UDP/TCP IPv6 NAT-T working solution with some problems. PATH: Client->NAT->Internet->Server Only supported model NAT-T supported in SP2, disenabled as default.

Thank You!