1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
|
<pre>Network Working Group T. Kivinen
Request for Comments: 3947 SafeNet
Category: Standards Track B. Swander
Microsoft
A. Huttunen
F-Secure Corporation
V. Volpe
Cisco Systems
January 2005
<span class="h1">Negotiation of NAT-Traversal in the IKE</span>
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document describes how to detect one or more network address
translation devices (NATs) between IPsec hosts, and how to negotiate
the use of UDP encapsulation of IPsec packets through NAT boxes in
Internet Key Exchange (IKE).
<span class="grey">Kivinen, et al. Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc3947">RFC 3947</a> Negotiation of NAT-Traversal in the IKE January 2005</span>
Table of Contents
<a href="#section-1">1</a>. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-2">2</a>
<a href="#section-2">2</a>. Specification of Requirements . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-3">3</a>. Phase 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-3.1">3.1</a>. Detecting Support of NAT-Traversal. . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-3.2">3.2</a>. Detecting the Presence of NAT . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-4">4</a>. Changing to New Ports . . . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-5">5</a>. Quick Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-5.1">5.1</a>. Negotiation of the NAT-Traversal Encapsulation. . . . . . <a href="#page-9">9</a>
<a href="#section-5.2">5.2</a>. Sending the Original Source and Destination Addresses . . <a href="#page-9">9</a>
<a href="#section-6">6</a>. Initial Contact Notifications. . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-7">7</a>. Recovering from the Expiring NAT Mappings. . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-8">8</a>. Security Considerations. . . . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
<a href="#section-9">9</a>. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
<a href="#section-10">10</a>. IAB Considerations . . . . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-11">11</a>. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-12">12</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-12.1">12.1</a>. Normative References . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-12.2">12.2</a>. Informative References . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-15">15</a>
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . <a href="#page-16">16</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
This document is split into two parts. The first describes what is
needed in IKE Phase 1 for NAT-Traversal support. This includes
detecting whether the other end supports NAT-Traversal, and detecting
whether there is one or more NATs between the peers.
The second part describes how to negotiate the use of UDP
encapsulated IPsec packets in IKE's Quick Mode. It also describes
how to transmit the original source and destination addresses to the
peer, if required. These addresses are used in transport mode to
update the TCP/IP checksums incrementally so that they will match
after the NAT transform. (The NAT cannot do this, because the TCP/IP
checksum is inside the UDP encapsulated IPsec packet.)
The document [<a href="./rfc3948" title=""UDP Encapsulation of IPsec Packets"">RFC3948</a>] describes the details of UDP encapsulation,
and [<a href="./rfc3715" title=""IPsec-Network Address Translation (NAT) Compatibility Requirements"">RFC3715</a>] provides background information and motivation of NAT-
Traversal in general. In combination with [<a href="./rfc3948" title=""UDP Encapsulation of IPsec Packets"">RFC3948</a>], this document
represents an "unconditionally compliant" solution to the
requirements as defined by [<a href="./rfc3715" title=""IPsec-Network Address Translation (NAT) Compatibility Requirements"">RFC3715</a>].
In the basic scenario for this document, the initiator is behind
NA(P)T, and the responder has a fixed static IP address.
<span class="grey">Kivinen, et al. Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc3947">RFC 3947</a> Negotiation of NAT-Traversal in the IKE January 2005</span>
This document defines a protocol that will work even if both ends are
behind NAT, but the process of how to locate the other end is out of
the scope of this document. In one scenario, the responder is behind
a static host NAT (only one responder per IP, as there is no way to
use any destination ports other than 500/4500). That is, it is known
by the configuration.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Specification of Requirements</span>
This document shall use the keywords "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED, "MAY",
and "OPTIONAL" to describe requirements. They are to be interpreted
as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Phase 1</span>
The detection of support for NAT-Traversal and detection of NAT along
the path between the two IKE peers occurs in IKE [<a href="./rfc2409" title=""The Internet Key Exchange (IKE)"">RFC2409</a>] Phase 1.
The NAT may change the IKE UDP source port, and recipients MUST be
able to process IKE packets whose source port is different from 500.
The NAT does not have to change the source port if:
o only one IPsec host is behind the NAT, or
o for the first IPsec host, the NAT can keep the port 500, and the
NAT will only change the port number for later connections.
Recipients MUST reply back to the source address from the packet (see
<a href="./rfc3715#section-2.1">[RFC3715], section 2.1</a>, case d). This means that when the original
responder is doing rekeying or sending notifications to the original
initiator, it MUST send the packets using the same set of port and IP
numbers used when the IKE SA was last used.
For example, when the initiator sends a packet with source and
destination port 500, the NAT may change it to a packet with source
port 12312 and destination port 500. The responder must be able to
process the packet whose source port is 12312. It must reply back
with a packet whose source port is 500 and destination port is 12312.
The NAT will then translate this packet to source port 500 and
destination port 500.
<span class="grey">Kivinen, et al. Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc3947">RFC 3947</a> Negotiation of NAT-Traversal in the IKE January 2005</span>
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Detecting Support of NAT-Traversal</span>
The NAT-Traversal capability of the remote host is determined by an
exchange of vendor ID payloads. In the first two messages of Phase
1, the vendor id payload for this specification MUST be sent if
supported (and it MUST be received by both sides) for the NAT-
Traversal probe to continue. The content of the payload is the MD5
hash of
<a href="./rfc3947">RFC 3947</a>
The exact content in hex for the payload is
4a131c81070358455c5728f20e95452f
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Detecting the Presence of NAT</span>
The NAT-D payload not only detects the presence of NAT between the
two IKE peers, but also detects where the NAT is. The location of
the NAT device is important, as the keepalives have to initiate from
the peer "behind" the NAT.
To detect NAT between the two hosts, we have to detect whether the IP
address or the port changes along the path. This is done by sending
the hashes of the IP addresses and ports of both IKE peers from each
end to the other. If both ends calculate those hashes and get same
result, they know there is no NAT between. If the hashes do not
match, somebody has translated the address or port. This means that
we have to do NAT-Traversal to get IPsec packets through.
If the sender of the packet does not know his own IP address (in case
of multiple interfaces, and the implementation does not know which IP
address is used to route the packet out), the sender can include
multiple local hashes to the packet (as separate NAT-D payloads). In
this case, NAT is detected if and only if none of the hashes match.
The hashes are sent as a series of NAT-D (NAT discovery) payloads.
Each payload contains one hash, so in case of multiple hashes,
multiple NAT-D payloads are sent. In the normal case there are only
two NAT-D payloads.
The NAT-D payloads are included in the third and fourth packets of
Main Mode, and in the second and third packets in the Aggressive
Mode.
<span class="grey">Kivinen, et al. Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc3947">RFC 3947</a> Negotiation of NAT-Traversal in the IKE January 2005</span>
The format of the NAT-D packet is
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+---------------+---------------+---------------+---------------+
| Next Payload | RESERVED | Payload length |
+---------------+---------------+---------------+---------------+
~ HASH of the address and port ~
+---------------+---------------+---------------+---------------+
The payload type for the NAT discovery payload is 20.
The HASH is calculated as follows:
HASH = HASH(CKY-I | CKY-R | IP | Port)
This uses the negotiated HASH algorithm. All data inside the HASH is
in the network byte-order. The IP is 4 octets for an IPv4 address
and 16 octets for an IPv6 address. The port number is encoded as a 2
octet number in network byte-order. The first NAT-D payload contains
the remote end's IP address and port (i.e., the destination address
of the UDP packet). The remaining NAT-D payloads contain possible
local-end IP addresses and ports (i.e., all possible source addresses
of the UDP packet).
If there is no NAT between the peers, the first NAT-D payload
received should match one of the local NAT-D payloads (i.e., the
local NAT-D payloads this host is sending out), and one of the other
NAT-D payloads must match the remote end's IP address and port. If
the first check fails (i.e., first NAT-D payload does not match any
of the local IP addresses and ports), it means that there is dynamic
NAT between the peers, and this end should start sending keepalives
as defined in the [<a href="./rfc3948" title=""UDP Encapsulation of IPsec Packets"">RFC3948</a>] (this end is behind the NAT).
The CKY-I and CKY-R are the initiator and responder cookies. They
are added to the hash to make precomputation attacks for the IP
address and port impossible.
The following example is of a Phase 1 exchange using NAT-Traversal in
Main Mode (authentication with signatures):
Initiator Responder
------------ ------------
HDR, SA, VID -->
<-- HDR, SA, VID
HDR, KE, Ni, NAT-D, NAT-D -->
<-- HDR, KE, Nr, NAT-D, NAT-D
HDR*#, IDii, [CERT, ] SIG_I -->
<-- HDR*#, IDir, [CERT, ], SIG_R
<span class="grey">Kivinen, et al. Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc3947">RFC 3947</a> Negotiation of NAT-Traversal in the IKE January 2005</span>
The following example is of Phase 1 exchange using NAT-Traversal in
Aggressive Mode (authentication with signatures):
Initiator Responder
------------ ------------
HDR, SA, KE, Ni, IDii, VID -->
<-- HDR, SA, KE, Nr, IDir,
[CERT, ], VID, NAT-D,
NAT-D, SIG_R
HDR*#, [CERT, ], NAT-D, NAT-D,
SIG_I -->
The # sign indicates that those packets are sent to the changed port
if NAT is detected.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Changing to New Ports</span>
IPsec-aware NATs can cause problems (See <a href="./rfc3715#section-2.3">[RFC3715], section 2.3</a>).
Some NATs will not change IKE source port 500 even if there are
multiple clients behind the NAT (See <a href="./rfc3715#section-2.3">[RFC3715], section 2.3</a>, case n).
They can also use IKE cookies to demultiplex traffic instead of using
the source port (See <a href="./rfc3715#section-2.3">[RFC3715], section 2.3</a>, case m). Both of these
are problematic for generic NAT transparency, as it is difficult for
IKE to discover the capabilities of the NAT. The best approach is
simply to move the IKE traffic off port 500 as soon as possible to
avoid any IPsec-aware NAT special casing.
Take the common case of the initiator behind the NAT. The initiator
must quickly change to port 4500 once the NAT has been detected to
minimize the window of IPsec-aware NAT problems.
In Main Mode, the initiator MUST change ports when sending the ID
payload if there is NAT between the hosts. The initiator MUST set
both UDP source and destination ports to 4500. All subsequent
packets sent to this peer (including informational notifications)
MUST be sent on port 4500. In addition, the IKE data MUST be
prepended with a non-ESP marker allowing for demultiplexing of
traffic, as defined in [<a href="./rfc3948" title=""UDP Encapsulation of IPsec Packets"">RFC3948</a>].
Thus, the IKE packet now looks like this:
IP UDP(4500,4500) <non-ESP marker> HDR*, IDii, [CERT, ] SIG_I
This assumes authentication using signatures. The 4 bytes of non-ESP
marker are defined in the [<a href="./rfc3948" title=""UDP Encapsulation of IPsec Packets"">RFC3948</a>].
<span class="grey">Kivinen, et al. Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc3947">RFC 3947</a> Negotiation of NAT-Traversal in the IKE January 2005</span>
When the responder gets this packet, the usual decryption and
processing of the various payloads is performed. If these are
successful, the responder MUST update local state so that all
subsequent packets (including informational notifications) to the
peer use the new port, and possibly the new IP address obtained from
the incoming valid packet. The port will generally be different, as
the NAT will map UDP(500,500) to UDP(X,500), and UDP(4500,4500) to
UDP(Y,4500). The IP address will seldom be different from the pre-
changed IP address. The responder MUST respond with all subsequent
IKE packets to this peer by using UDP(4500,Y).
Similarly, if the responder has to rekey the Phase 1 SA, then the
rekey negotiation MUST be started by using UDP(4500,Y). Any
implementation that supports NAT traversal MUST support negotiations
that begin on port 4500. If a negotiation starts on port 4500, then
it doesn't need to change anywhere else in the exchange.
Once port change has occurred, if a packet is received on port 500,
that packet is old. If the packet is an informational packet, it MAY
be processed if local policy allows this. If the packet is a Main
Mode or an Aggressive Mode packet (with the same cookies as previous
packets), it SHOULD be discarded. If the packet is a new Main Mode
or Aggressive exchange, then it is processed normally (the other end
might have rebooted, and this is starting new exchange).
Here is an example of a Phase 1 exchange using NAT-Traversal in Main
Mode (authentication with signatures) with changing port:
Initiator Responder
------------ ------------
UDP(500,500) HDR, SA, VID -->
<-- UDP(500,X) HDR, SA, VID
UDP(500,500) HDR, KE, Ni,
NAT-D, NAT-D -->
<-- UDP(500,X) HDR, KE, Nr,
NAT-D, NAT-D
UDP(4500,4500) HDR*#, IDii,
[CERT, ]SIG_I -->
<-- UDP(4500,Y) HDR*#, IDir,
[ CERT, ], SIG_R
The procedure for Aggressive Mode is very similar. After the NAT has
been detected, the initiator sends IP UDP(4500,4500) <4 bytes of
non-ESP marker> HDR*, [CERT, ], NAT-D, NAT-D, and SIG_I. The
responder does similar processing to the above, and if successful,
MUST update it's internal IKE ports. The responder MUST respond with
all subsequent IKE packets to this peer by using UDP(4500,Y).
<span class="grey">Kivinen, et al. Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc3947">RFC 3947</a> Negotiation of NAT-Traversal in the IKE January 2005</span>
Initiator Responder
------------ ------------
UDP(500,500) HDR, SA, KE,
Ni, IDii, VID -->
<-- UDP(500,X) HDR, SA, KE,
Nr, IDir, [CERT, ],
VID, NAT-D, NAT-D,
SIG_R
UDP(4500,4500) HDR*#, [CERT, ],
NAT-D, NAT-D,
SIG_I -->
<-- UDP(4500, Y) HDR*#, ...
If the support of the NAT-Traversal is enabled, the port in the ID
payload in Main Mode/Aggressive Mode MUST be set to 0.
The most common case for the responder behind the NAT is if the NAT
is simply doing 1:1 address translation. In this case, the initiator
still changes both ports to 4500. The responder uses an algorithm
identical to that above, although in this case Y will equal 4500, as
no port translation is happening.
A different port change case involves out-of-band discovery of the
ports to use. Those discovery methods are out of the scope of this
document. For instance, if the responder is behind a port
translating NAT, and the initiator needs to contact it first, then
the initiator will have to determine which ports to use, usually by
contacting some other server. Once the initiator knows which ports
to use to traverse the NAT, generally something like UDP(Z,4500), it
initiates using these ports. This is similar to the responder rekey
case above in that the ports to use are already known up front, and
no additional change has to take place. Also, the first keepalive
timer starts after the change to the new port, and no keepalives are
sent to the port 500.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Quick Mode</span>
After Phase 1, both ends know whether there is a NAT present between
them. The final decision of using NAT-Traversal is left to Quick
Mode. The use of NAT-Traversal is negotiated inside the SA payloads
of Quick Mode. In Quick Mode, both ends can also send the original
addresses of the IPsec packets (in case of the transport mode) to the
other end so that each can fix the TCP/IP checksum field after the
NAT transformation.
<span class="grey">Kivinen, et al. Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc3947">RFC 3947</a> Negotiation of NAT-Traversal in the IKE January 2005</span>
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Negotiation of the NAT-Traversal Encapsulation</span>
The negotiation of the NAT-Traversal happens by adding two new
encapsulation modes. These encapsulation modes are
UDP-Encapsulated-Tunnel 3
UDP-Encapsulated-Transport 4
It is not normally useful to propose both normal tunnel or transport
mode and UDP-Encapsulated modes. UDP encapsulation is required to
fix the inability to handle non-UDP/TCP traffic by NATs (see
<a href="./rfc3715#section-2.2">[RFC3715], section 2.2</a>, case i).
If there is a NAT box between hosts, normal tunnel or transport
encapsulations may not work. In this case, UDP-Encapsulation SHOULD
be used.
If there is no NAT box between, there is no point in wasting
bandwidth by adding UDP encapsulation of packets. Thus, UDP-
Encapsulation SHOULD NOT be used.
Also, the initiator SHOULD NOT include both normal tunnel or
transport mode and UDP-Encapsulated-Tunnel or UDP-Encapsulated-
Transport in its proposals.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Sending the Original Source and Destination Addresses</span>
To perform incremental TCP checksum updates, both peers may need to
know the original IP addresses used by their peers when those peers
constructed the packet (see <a href="./rfc3715#section-2.1">[RFC3715], section 2.1</a>, case b). For the
initiator, the original Initiator address is defined to be the
Initiator's IP address. The original Responder address is defined to
be the perceived peer's IP address. For the responder, the original
Initiator address is defined to be the perceived peer's address. The
original Responder address is defined to be the Responder's IP
address.
The original addresses are sent by using NAT-OA (NAT Original
Address) payloads.
The Initiator NAT-OA payload is first. The Responder NAT-OA payload
is second.
Example 1:
Initiator <---------> NAT <---------> Responder
^ ^ ^
Iaddr NatPub Raddr
<span class="grey">Kivinen, et al. Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc3947">RFC 3947</a> Negotiation of NAT-Traversal in the IKE January 2005</span>
The initiator is behind a NAT talking to the publicly available
responder. Initiator and Responder have the IP addresses Iaddr and
Raddr. NAT has public IP address NatPub.
Initiator:
NAT-OAi = Iaddr
NAT-OAr = Raddr
Responder:
NAT-OAi = NATPub
NAT-OAr = Raddr
Example 2:
Initiator <------> NAT1 <---------> NAT2 <-------> Responder
^ ^ ^ ^
Iaddr Nat1Pub Nat2Pub Raddr
Here, NAT2 "publishes" Nat2Pub for Responder and forwards all traffic
to that address to Responder.
Initiator:
NAT-OAi = Iaddr
NAT-OAr = Nat2Pub
Responder:
NAT-OAi = Nat1Pub
NAT-OAr = Raddr
In the case of transport mode, both ends MUST send both original
Initiator and Responder addresses to the other end. For tunnel mode,
both ends SHOULD NOT send original addresses to the other end.
The NAT-OA payloads are sent inside the first and second packets of
Quick Mode. The initiator MUST send the payloads if it proposes any
UDP-Encapsulated-Transport mode, and the responder MUST send the
payload only if it selected UDP-Encapsulated-Transport mode. It is
possible that the initiator sends the NAT-OA payload but proposes
both UDP-Encapsulated transport and tunnel mode. Then the responder
selects the UDP-Encapsulated tunnel mode and does not send the NAT-OA
payload back.
<span class="grey">Kivinen, et al. Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc3947">RFC 3947</a> Negotiation of NAT-Traversal in the IKE January 2005</span>
The format of the NAT-OA packet is
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+---------------+---------------+---------------+---------------+
| Next Payload | RESERVED | Payload length |
+---------------+---------------+---------------+---------------+
| ID Type | RESERVED | RESERVED |
+---------------+---------------+---------------+---------------+
| IPv4 (4 octets) or IPv6 address (16 octets) |
+---------------+---------------+---------------+---------------+
The payload type for the NAT original address payload is 21.
The ID type is defined in the [<a href="./rfc2407" title=""The Internet IP Security Domain of Interpretation for ISAKMP"">RFC2407</a>]. Only ID_IPV4_ADDR and
ID_IPV6_ADDR types are allowed. The two reserved fields after the ID
Type must be zero.
The following example is of Quick Mode using NAT-OA payloads:
Initiator Responder
------------ ------------
HDR*, HASH(1), SA, Ni, [, KE]
[, IDci, IDcr ]
[, NAT-OAi, NAT-OAr] -->
<-- HDR*, HASH(2), SA, Nr, [, KE]
[, IDci, IDcr ]
[, NAT-OAi, NAT-OAr]
HDR*, HASH(3) -->
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Initial Contact Notifications</span>
The source IP and port address of the INITIAL-CONTACT notification
for the host behind NAT are not meaningful (as NAT can change them),
so the IP and port numbers MUST NOT be used to determine which
IKE/IPsec SAs to remove (see <a href="./rfc3715#section-2.1">[RFC3715], section 2.1</a>, case c). The ID
payload sent from the other end SHOULD be used instead; i.e., when an
INITIAL-CONTACT notification is received from the other end, the
receiving end SHOULD remove all the SAs associated with the same ID
payload.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Recovering from the Expiring NAT Mappings</span>
There are cases where NAT box decides to remove mappings that are
still alive (for example, when the keepalive interval is too long, or
when the NAT box is rebooted). To recover from this, ends that are
NOT behind NAT SHOULD use the last valid UDP encapsulated IKE or
IPsec packet from the other end to determine which IP and port
addresses should be used. The host behind dynamic NAT MUST NOT do
<span class="grey">Kivinen, et al. Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc3947">RFC 3947</a> Negotiation of NAT-Traversal in the IKE January 2005</span>
this, as otherwise it opens a DoS attack possibility because the IP
address or port of the other host will not change (it is not behind
NAT).
Keepalives cannot be used for these purposes, as they are not
authenticated, but any IKE authenticated IKE packet or ESP packet can
be used to detect whether the IP address or the port has changed.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Security Considerations</span>
Whenever changes to some fundamental parts of a security protocol are
proposed, the examination of security implications cannot be skipped.
Therefore, here are some observations about the effects, and about
whether or not these effects matter.
o IKE probes reveal NAT-Traversal support to anyone watching the
traffic. Disclosing that NAT-Traversal is supported does not
introduce new vulnerabilities.
o The value of authentication mechanisms based on IP addresses
disappears once NATs are in the picture. That is not necessarily
a bad thing (for any real security, authentication measures other
than IP addresses should be used). This means that authentication
with pre-shared keys cannot be used in Main Mode without using
group-shared keys for everybody behind the NAT box. Using group
shared keys is a huge risk because it allows anyone in the group
to authenticate to any other party and claim to be anybody in the
group; e.g., a normal user could impersonate a vpn-gateway and act
as a man in the middle, and read/modify all traffic to/from others
in the group. Use of group-shared keys is NOT RECOMMENDED.
o As the internal address space is only 32 bits and is usually very
sparse, it might be possible for the attacker to find out the
internal address used behind the NAT box by trying all possible
IP-addresses to find the matching hash. The port numbers are
normally fixed to 500, and the cookies can be extracted from the
packet. This limits the hash calculations to 2^32. If an
educated guess of the private address space is made, then the
number of hash calculations needed to find out the internal IP
address goes down to 2^24 + 2 * (2^16).
o Neither NAT-D payloads nor Vendor ID payloads are authenticated in
Main Mode nor in Aggressive Mode. This means that attacker can
remove those payloads, modify them, or add them. By removing or
adding them, the attacker can cause Denial of Service attacks. By
modifying the NAT-D packets, the attacker can cause both ends to
use UDP-Encapsulated modes instead of directly using tunnel or
transport mode, thus wasting some bandwidth.
<span class="grey">Kivinen, et al. Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc3947">RFC 3947</a> Negotiation of NAT-Traversal in the IKE January 2005</span>
o Sending the original source address in the Quick Mode reveals the
internal IP address behind the NAT to the other end. In this case
we have already authenticated the other end, and sending the
original source address is only needed in transport mode.
o Updating the IKE SA/ESP UDP encapsulation IP addresses and ports
for each valid authenticated packet can cause DoS if an attacker
can listen to all traffic in the network, change the order of the
packets, and inject new packets before the packet he has already
seen. In other words, the attacker can take an authenticated
packet from the host behind NAT, change the packet UDP source or
destination ports or IP addresses and send it out to the other end
before the real packet reaches it. The host not behind the NAT
will update its IP address and port mapping and send further
traffic to the wrong host or port. This situation is fixed
immediately when the attacker stops modifying the packets, as the
first real packet will fix the situation. Implementations SHOULD
AUDIT the event every time the mapping is changed, as it should
not happen that often.
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. IANA Considerations</span>
This document contains two new "magic numbers" allocated from the
existing IANA registry for IPsec and renames existing registered port
4500. This document also defines 2 new payload types for IKE.
The following are new items that have been added in the "Internet
Security Association and Key Management Protocol (ISAKMP)
Identifiers" Encapsulation Mode registry:
Name Value Reference
---- ----- ---------
UDP-Encapsulated-Tunnel 3 [<a href="./rfc3947">RFC3947</a>]
UDP-Encapsulated-Transport 4 [<a href="./rfc3947">RFC3947</a>]
Change in the registered port registry:
Keyword Decimal Description Reference
------- ------- ----------- ---------
ipsec-nat-t 4500/tcp IPsec NAT-Traversal [<a href="./rfc3947">RFC3947</a>]
ipsec-nat-t 4500/udp IPsec NAT-Traversal [<a href="./rfc3947">RFC3947</a>]
<span class="grey">Kivinen, et al. Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc3947">RFC 3947</a> Negotiation of NAT-Traversal in the IKE January 2005</span>
New IKE payload numbers need to be added to the Next Payload Types
registry:
NAT-D 20 NAT Discovery Payload
NAT-OA 21 NAT Original Address Payload
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. IAB Considerations</span>
The UNSAF [<a href="./rfc3424" title=""IAB Considerations for UNilateral Self-Address Fixing (UNSAF) Across Network Address Translation"">RFC3424</a>] questions are addressed by the IPsec-NAT
compatibility requirements document [<a href="./rfc3715" title=""IPsec-Network Address Translation (NAT) Compatibility Requirements"">RFC3715</a>].
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. Acknowledgments</span>
Thanks to Markus Stenberg, Larry DiBurro, and William Dixon, who
contributed actively to this document.
Thanks to Tatu Ylonen, Santeri Paavolainen, and Joern Sierwald, who
contributed to the document used as the base for this document.
<span class="h2"><a class="selflink" id="section-12" href="#section-12">12</a>. References</span>
<span class="h3"><a class="selflink" id="section-12.1" href="#section-12.1">12.1</a>. Normative References</span>
[<a id="ref-RFC2409">RFC2409</a>] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", <a href="./rfc2409">RFC 2409</a>, November 1998.
[<a id="ref-RFC2407">RFC2407</a>] Piper, D., "The Internet IP Security Domain of
Interpretation for ISAKMP", <a href="./rfc2407">RFC 2407</a>, November 1998.
[<a id="ref-RFC3948">RFC3948</a>] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M.
Stenberg, "UDP Encapsulation of IPsec Packets", <a href="./rfc3948">RFC 3948</a>,
January 2005.
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
<span class="h3"><a class="selflink" id="section-12.2" href="#section-12.2">12.2</a>. Informative References</span>
[<a id="ref-RFC3715">RFC3715</a>] Aboba, B. and W. Dixon, "IPsec-Network Address Translation
(NAT) Compatibility Requirements", <a href="./rfc3715">RFC 3715</a>, March 2004.
[<a id="ref-RFC3424">RFC3424</a>] Daigle, L. and IAB, "IAB Considerations for UNilateral
Self-Address Fixing (UNSAF) Across Network Address
Translation", <a href="./rfc3424">RFC 3424</a>, November 2002.
<span class="grey">Kivinen, et al. Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc3947">RFC 3947</a> Negotiation of NAT-Traversal in the IKE January 2005</span>
Authors' Addresses
Tero Kivinen
SafeNet, Inc.
Fredrikinkatu 47
FIN-00100 HELSINKI
Finland
EMail: kivinen@safenet-inc.com
Ari Huttunen
F-Secure Corporation
Tammasaarenkatu 7,
FIN-00181 HELSINKI
Finland
EMail: Ari.Huttunen@F-Secure.com
Brian Swander
Microsoft
One Microsoft Way
Redmond, WA 98052
USA
EMail: briansw@microsoft.com
Victor Volpe
Cisco Systems
124 Grove Street
Suite 205
Franklin, MA 02038
USA
EMail: vvolpe@cisco.com
<span class="grey">Kivinen, et al. Standards Track [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc3947">RFC 3947</a> Negotiation of NAT-Traversal in the IKE January 2005</span>
Full Copyright Statement
Copyright (C) The Internet Society (2005).
This document is subject to the rights, licenses and restrictions
contained in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a>, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the IETF's procedures with respect to rights in IETF Documents can
be found in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and <a href="https://www.rfc-editor.org/bcp/bcp79">BCP 79</a>.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
<a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Kivinen, et al. Standards Track [Page 16]
</pre>
|
