Mobile IP Traversal Of NAT Devices

Download Report

Transcript Mobile IP Traversal Of NAT Devices

Mobile IP Traversal Of NAT
Devices
By,
Vivek Nemarugommula
Problem Definition


Mobile IP relies on sending traffic from the home network to the
mobile node or foreign agent through IP-in-IP tunnelling. IP
nodes which communicate from behind a NAT are reachable only
through the NAT's public address(es).
IP-in-IP tunnelling does not generally contain enough information
to permit unique translation from the common public address(es)
to the particular care-of address of a mobile node or foreign
agent which resides behind the NAT; in particular there are no
TCP/UDP port numbers available for a NAT to work with.
Problem Illustrated
Problem Illustrated
Solutions


The draft by H. Levkowetz (ipUnplugged), S. Vaarala (Netseal)
released in April,2002, presents extensions to the Mobile IP
protocol and a tunnelling method which permits mobile nodes
using Mobile IP to operate in private address networks, which
are separated from the public internet by NAT devices.
Assumptions:The primary assumption in this document is that
the network allows communication between an UDP port chosen
by the mobile node and the home agent UDP port 434
Co-located care of address





The mobile users connect to the Home Agent at the office to
access the corresponding node (CN) in the home network.
The mobile node will request a temporary care-of address
belonging to the local router R from a DHCP server in the
visited network.
The Home Agent will discover that a NAPT traversal has
occurred by comparing the source IP address 204.68.9.2 and
the care-of address 10.0.0.2.
The Mobile IP tunnel is then modified to include a UDP header,
in order to facilitate traversal of the NAPT with payload
datagrams between the mobile node and the correspondent
node (19.0.4.1).
The source IP address in the header of the registration request
as received by the Home Agent, i.e. 204.68.9.2, will be used as
source IP address for the outer IP header in the Mobile IP
tunnel seen from the Home Agent instead of the care-of
address, i.e. 10.0.0.2
Mobile IP Registration




The mobile node (or to be more correct the mobile node virtual
interface adapter MN-VIA) sends a Mobile IP registration
request towards the Home Agent.
The registration request is sent with the UDP destination port
equal to 434 and the UDP source port set to any chosen port
number.
In order to distinguish between datagrams sent from different
nodes in the visited network, the NAPT will also keep a state
table with the care-of address and the UDP source port number
on the inside and a newly allocated UDP source port number on
the outside of the firewall.
The latter UDP source port number is selected so that it is
unique among the sessions traversing the NAPT at any point in
time.
Registration (continued)



The Home Agent will discover the discrepancy between source
IP address 204.68.9.2 and care-of address 10.0.0.2 inside the
registration request message.
In order to protect against spoofing, the Home Agent will verify
the authenticator as well as the time stamp of the registration
reply.
If acceptable, the Home Agent will select a UDP port number to
be used for the Mobile IP data path and communicate it to the
mobile node as part of the registration reply message.
Registration Procedure
Mobile IP Payload Transfer

1.
2.
There are two main differences in the way payload transfer is
performed when a NAPT is present:
First of all the payload datagrams to be sent through the
Mobile IP tunnel are required to have a UDP header in
between the two IP headers.
The second item is that the Home Agent is applying the
source IP header of the registration request, i.e. the IP
address of the NAPT 204.68.9.2, as the destination IP address
also for datagrams destined for the mobile node.
MIP Traffic Flow
IPSec NAT Transparency




The IPSec NAT Transparency feature introduces support for
IPSec traffic to travel through NAT or PAT points in the network
by encapsulating IPSec packets in a User Datagram Protocol
(UDP) wrapper, which allows the packets to travel across NAT
devices.
IKE Phase 1 Negotiation: NAT Detection
IKE Phase 2 Negotiation: NAT Traversal Decision
UDP Encapsulation of IPSec Packets for NAT Traversal
IKE Phase 1 Negotiation: NAT
Detection




During Internet Key Exchange (IKE) phase 1 negotiation, two
types of NAT detection occur before IKE Quick Mode begins—
NAT support and NAT existence along the network path.
To detect NAT support, you should exchange the vendor
identification (ID) string with the remote peer.
Detecting whether NAT exists along the network path allows
you to find any NAT device between two peers and the exact
location of NAT.
To detect whether a NAT device exists along the network path,
the peers should send a payload with hashes of the IP address
and port of both the source and destination address from each
end.
IKE Phase 2 Negotiation: NAT
Traversal Decision


IKE phase 2 decides whether or not the peers at both ends will
use NAT traversal. Quick Mode (QM) security association (SA)
payload in QM1 and QM2 is used to for NAT traversal
negotiation.
Because the NAT device changes the IP address and port
number, incompatablities between NAT and IPSec can be
created. Thus, exchanging the original source address bypasses
any incompatablities.
UDP Encapsulation of IPSec
Packets for NAT Traversal


In addition to allowing IPSec packets to traverse across NAT
devices, UDP encapsulation also addresses many incompatability
issues between IPSec and NAT and PAT.
Incompatability Between Fixed IKE Destination Ports
and PAT—Resolved
PAT changes the port address in the new UDP header for
translation and leaves the original payload unchanged.
Standard IPSec Tunnel Through a
NAT/PAT Point (No UDP Encapsulation)
IPSec Packet with UDP Encapsulation
Conclusions




The ordinary Mobile IP security mechanisms are also used with
the NAT traversal mechanism described in this document.
Relying on unauthenticated address information when forming
or updating a mobility binding leads to several redirection attack
vulnerabilities.
In providing a mobile node with a mechanism for NAT traversal
of Mobile IP traffic, we expand the address space where a
mobile node may function and acquire care-of addresses.
There are many compatibility issues IPsec ESP and NAT which
hav been resolved.
References



www.ipunplugged.com/pdf/NAPTTraver
salWithMobileIP.pdf
http://rfc3519.x42.com/
http://www.cisco.com/univercd/cc/td/d
oc/product/software/ios122/122newft/1
22t/122t13/ftipsnat.htm#wp1027129