Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula

Problem Definition Mobile IP relies on sending traffic from the home network to the mobile node or foreign agent through IP-in-IP tunnelling. IP nodes which communicate from behind a NAT are reachable only through the NAT's public address(es). IP-in-IP tunnelling does not generally contain enough information to permit unique translation from the common public address(es) to the particular care-of address of a mobile node or foreign agent which resides behind the NAT; in particular there are no TCP/UDP port numbers available for a NAT to work with.

Problem Illustrated

Solutions The draft by H. Levkowetz (ipUnplugged), S. Vaarala (Netseal) released in April,2002, presents extensions to the Mobile IP protocol and a tunnelling method which permits mobile nodes using Mobile IP to operate in private address networks, which are separated from the public internet by NAT devices. Assumptions:The primary assumption in this document is that the network allows communication between an UDP port chosen by the mobile node and the home agent UDP port 434

Co-located care of address The mobile users connect to the Home Agent at the office to access the corresponding node (CN) in the home network. The mobile node will request a temporary care-of address belonging to the local router R from a DHCP server in the visited network. The Home Agent will discover that a NAPT traversal has occurred by comparing the source IP address and the care-of address The Mobile IP tunnel is then modified to include a UDP header, in order to facilitate traversal of the NAPT with payload datagrams between the mobile node and the correspondent node ( ). The source IP address in the header of the registration request as received by the Home Agent, i.e , will be used as source IP address for the outer IP header in the Mobile IP tunnel seen from the Home Agent instead of the care-of address, i.e

Mobile IP Registration The mobile node (or to be more correct the mobile node virtual interface adapter MN-VIA) sends a Mobile IP registration request towards the Home Agent. The registration request is sent with the UDP destination port equal to 434 and the UDP source port set to any chosen port number. In order to distinguish between datagrams sent from different nodes in the visited network, the NAPT will also keep a state table with the care-of address and the UDP source port number on the inside and a newly allocated UDP source port number on the outside of the firewall. The latter UDP source port number is selected so that it is unique among the sessions traversing the NAPT at any point in time.

Registration (continued) The Home Agent will discover the discrepancy between source IP address and care-of address inside the registration request message. In order to protect against spoofing, the Home Agent will verify the authenticator as well as the time stamp of the registration reply. If acceptable, the Home Agent will select a UDP port number to be used for the Mobile IP data path and communicate it to the mobile node as part of the registration reply message.

Registration Procedure

Mobile IP Payload Transfer There are two main differences in the way payload transfer is performed when a NAPT is present: 1. First of all the payload datagrams to be sent through the Mobile IP tunnel are required to have a UDP header in between the two IP headers. 2. The second item is that the Home Agent is applying the source IP header of the registration request, i.e. the IP address of the NAPT , as the destination IP address also for datagrams destined for the mobile node.

MIP Traffic Flow

IPSec NAT Transparency The IPSec NAT Transparency feature introduces support for IPSec traffic to travel through NAT or PAT points in the network by encapsulating IPSec packets in a User Datagram Protocol (UDP) wrapper, which allows the packets to travel across NAT devices. IKE Phase 1 Negotiation: NAT Detection IKE Phase 2 Negotiation: NAT Traversal Decision UDP Encapsulation of IPSec Packets for NAT Traversal UDP Encapsulation of IPSec Packets for NAT Traversal

IKE Phase 1 Negotiation: NAT Detection During Internet Key Exchange (IKE) phase 1 negotiation, two types of NAT detection occur before IKE Quick Mode begins— NAT support and NAT existence along the network path. To detect NAT support, you should exchange the vendor identification (ID) string with the remote peer. Detecting whether NAT exists along the network path allows you to find any NAT device between two peers and the exact location of NAT. To detect whether a NAT device exists along the network path, the peers should send a payload with hashes of the IP address and port of both the source and destination address from each end.

IKE Phase 2 Negotiation: NAT Traversal Decision IKE phase 2 decides whether or not the peers at both ends will use NAT traversal. Quick Mode (QM) security association (SA) payload in QM1 and QM2 is used to for NAT traversal negotiation. Because the NAT device changes the IP address and port number, incompatablities between NAT and IPSec can be created. Thus, exchanging the original source address bypasses any incompatablities.

UDP Encapsulation of IPSec Packets for NAT Traversal In addition to allowing IPSec packets to traverse across NAT devices, UDP encapsulation also addresses many incompatability issues between IPSec and NAT and PAT. Incompatability Between Fixed IKE Destination Ports and PAT—Resolved PAT changes the port address in the new UDP header for translation and leaves the original payload unchanged.

Standard IPSec Tunnel Through a NAT/PAT Point (No UDP Encapsulation)

IPSec Packet with UDP Encapsulation

Conclusions The ordinary Mobile IP security mechanisms are also used with the NAT traversal mechanism described in this document. Relying on unauthenticated address information when forming or updating a mobility binding leads to several redirection attack vulnerabilities. In providing a mobile node with a mechanism for NAT traversal of Mobile IP traffic, we expand the address space where a mobile node may function and acquire care-of addresses. There are many compatibility issues IPsec ESP and NAT which hav been resolved.

References salWithMobileIP.pdf oc/product/software/ios122/122newft/1 22t/122t13/ftipsnat.htm#wp oc/product/software/ios122/122newft/1 22t/122t13/ftipsnat.htm#wp