1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
|
<pre>Network Working Group A. Huttunen
Request for Comments: 3948 F-Secure Corporation
Category: Standards Track B. Swander
Microsoft
V. Volpe
Cisco Systems
L. DiBurro
Nortel Networks
M. Stenberg
January 2005
<span class="h1">UDP Encapsulation of IPsec ESP Packets</span>
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This protocol specification defines methods to encapsulate and
decapsulate IP Encapsulating Security Payload (ESP) packets inside
UDP packets for traversing Network Address Translators. ESP
encapsulation, as defined in this document, can be used in both IPv4
and IPv6 scenarios. Whenever negotiated, encapsulation is used with
Internet Key Exchange (IKE).
<span class="grey">Huttunen, et al. Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc3948">RFC 3948</a> UDP Encapsulation of IPsec ESP Packets January 2005</span>
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-2">2</a>
<a href="#section-2">2</a>. Packet Formats . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-2.1">2.1</a>. UDP-Encapsulated ESP Header Format . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-2.2">2.2</a>. IKE Header Format for Port 4500 . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-2.3">2.3</a>. NAT-Keepalive Packet Format . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-3">3</a>. Encapsulation and Decapsulation Procedures . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-3.1">3.1</a>. Auxiliary Procedures . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-3.1.1">3.1.1</a>. Tunnel Mode Decapsulation NAT Procedure . . . . <a href="#page-5">5</a>
<a href="#section-3.1.2">3.1.2</a>. Transport Mode Decapsulation NAT Procedure . . . <a href="#page-5">5</a>
<a href="#section-3.2">3.2</a>. Transport Mode ESP Encapsulation . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-3.3">3.3</a>. Transport Mode ESP Decapsulation . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-3.4">3.4</a>. Tunnel Mode ESP Encapsulation . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-3.5">3.5</a>. Tunnel Mode ESP Decapsulation . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-4">4</a>. NAT Keepalive Procedure . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-5">5</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-5.1">5.1</a>. Tunnel Mode Conflict . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-5.2">5.2</a>. Transport Mode Conflict . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-6">6</a>. IAB Considerations . . . . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-7">7</a>. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-8">8</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-8.1">8.1</a>. Normative References . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-8.2">8.2</a>. Informative References . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#appendix-A">A</a>. Clarification of Potential NAT Multiple Client Solutions . . . <a href="#page-12">12</a>
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
Full Copyright Statement . . . . . . . . . . . . . . . . . . . <a href="#page-15">15</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
This protocol specification defines methods to encapsulate and
decapsulate ESP packets inside UDP packets for traversing Network
Address Translators (NATs) (see <a href="./rfc3715#section-2.2">[RFC3715], section 2.2</a>, case i). The
UDP port numbers are the same as those used by IKE traffic, as
defined in [<a href="./rfc3947" title=""Negotiation of NAT-Traversal in the IKE"">RFC3947</a>].
The sharing of the port numbers for both IKE and UDP encapsulated ESP
traffic was selected because it offers better scaling (only one NAT
mapping in the NAT; no need to send separate IKE keepalives), easier
configuration (only one port to be configured in firewalls), and
easier implementation.
A client's needs should determine whether transport mode or tunnel
mode is to be supported (see <a href="./rfc3715#section-3">[RFC3715], Section 3</a>, "Telecommuter
scenario"). L2TP/IPsec clients MUST support the modes as defined in
[<a href="./rfc3193" title=""Securing L2TP using IPsec"">RFC3193</a>]. IPsec tunnel mode clients MUST support tunnel mode.
<span class="grey">Huttunen, et al. Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc3948">RFC 3948</a> UDP Encapsulation of IPsec ESP Packets January 2005</span>
An IKE implementation supporting this protocol specification MUST NOT
use the ESP SPI field zero for ESP packets. This ensures that IKE
packets and ESP packets can be distinguished from each other.
As defined in this document, UDP encapsulation of ESP packets is
written in terms of IPv4 headers. There is no technical reason why
an IPv6 header could not be used as the outer header and/or as the
inner header.
Because the protection of the outer IP addresses in IPsec AH is
inherently incompatible with NAT, the IPsec AH was left out of the
scope of this protocol specification. This protocol also assumes
that IKE (IKEv1 [<a href="./rfc2401" title=""Security Architecture for the Internet Protocol"">RFC2401</a>] or IKEv2 [<a href="#ref-IKEv2" title=""Internet Key Exchange (IKEv2) Protocol"">IKEv2</a>]) is used to negotiate the
IPsec SAs. Manual keying is not supported.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Packet Formats</span>
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. UDP-Encapsulated ESP Header Format</span>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ESP header [<a href="./rfc2406" title=""IP Encapsulating Security Payload (ESP)"">RFC2406</a>] |
~ ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The UDP header is a standard [<a href="./rfc0768" title=""User Datagram Protocol"">RFC0768</a>] header, where
o the Source Port and Destination Port MUST be the same as that used
by IKE traffic,
o the IPv4 UDP Checksum SHOULD be transmitted as a zero value, and
o receivers MUST NOT depend on the UDP checksum being a zero value.
The SPI field in the ESP header MUST NOT be a zero value.
<span class="grey">Huttunen, et al. Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc3948">RFC 3948</a> UDP Encapsulation of IPsec ESP Packets January 2005</span>
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. IKE Header Format for Port 4500</span>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Non-ESP Marker |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IKE header [<a href="./rfc2409" title=""The Internet Key Exchange (IKE)"">RFC2409</a>] |
~ ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The UDP header is a standard [<a href="./rfc0768" title=""User Datagram Protocol"">RFC0768</a>] header and is used as defined
in [<a href="./rfc3947" title=""Negotiation of NAT-Traversal in the IKE"">RFC3947</a>]. This document does not set any new requirements for
the checksum handling of an IKE packet.
A Non-ESP Marker is 4 zero-valued bytes aligning with the SPI field
of an ESP packet.
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. NAT-Keepalive Packet Format</span>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0xFF |
+-+-+-+-+-+-+-+-+
The UDP header is a standard [<a href="./rfc0768" title=""User Datagram Protocol"">RFC0768</a>] header, where
o the Source Port and Destination Port MUST be the same as used by
UDP-ESP encapsulation of <a href="#section-2.1">Section 2.1</a>,
o the IPv4 UDP Checksum SHOULD be transmitted as a zero value, and
o receivers MUST NOT depend upon the UDP checksum being a zero
value.
The sender MUST use a one-octet-long payload with the value 0xFF.
The receiver SHOULD ignore a received NAT-keepalive packet.
<span class="grey">Huttunen, et al. Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc3948">RFC 3948</a> UDP Encapsulation of IPsec ESP Packets January 2005</span>
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Encapsulation and Decapsulation Procedures</span>
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Auxiliary Procedures</span>
<span class="h4"><a class="selflink" id="section-3.1.1" href="#section-3.1.1">3.1.1</a>. Tunnel Mode Decapsulation NAT Procedure</span>
When a tunnel mode has been used to transmit packets (see <a href="./rfc3715#section-3">[RFC3715],
section 3</a>, criteria "Mode support" and "Telecommuter scenario"), the
inner IP header can contain addresses that are not suitable for the
current network. This procedure defines how these addresses are to
be converted to suitable addresses for the current network.
Depending on local policy, one of the following MUST be done:
1. If a valid source IP address space has been defined in the policy
for the encapsulated packets from the peer, check that the source
IP address of the inner packet is valid according to the policy.
2. If an address has been assigned for the remote peer, check that
the source IP address used in the inner packet is the assigned IP
address.
3. NAT is performed for the packet, making it suitable for transport
in the local network.
<span class="h4"><a class="selflink" id="section-3.1.2" href="#section-3.1.2">3.1.2</a>. Transport Mode Decapsulation NAT Procedure</span>
When a transport mode has been used to transmit packets, contained
TCP or UDP headers will have incorrect checksums due to the change of
parts of the IP header during transit. This procedure defines how to
fix these checksums (see <a href="./rfc3715#section-2.1">[RFC3715], section 2.1</a>, case b).
Depending on local policy, one of the following MUST be done:
1. If the protocol header after the ESP header is a TCP/UDP header
and the peer's real source and destination IP address have been
received according to [<a href="./rfc3947" title=""Negotiation of NAT-Traversal in the IKE"">RFC3947</a>], incrementally recompute the
TCP/UDP checksum:
* Subtract the IP source address in the received packet from the
checksum.
* Add the real IP source address received via IKE to the
checksum (obtained from the NAT-OA)
* Subtract the IP destination address in the received packet
from the checksum.
* Add the real IP destination address received via IKE to the
checksum (obtained from the NAT-OA).
Note: If the received and real address are the same for a given
address (e.g., say the source address), the operations cancel and
don't need to be performed.
<span class="grey">Huttunen, et al. Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc3948">RFC 3948</a> UDP Encapsulation of IPsec ESP Packets January 2005</span>
2. If the protocol header after the ESP header is a TCP/UDP header,
recompute the checksum field in the TCP/UDP header.
3. If the protocol header after the ESP header is a UDP header, set
the checksum field to zero in the UDP header. If the protocol
after the ESP header is a TCP header, and if there is an option
to flag to the stack that the TCP checksum does not need to be
computed, then that flag MAY be used. This SHOULD only be done
for transport mode, and if the packet is integrity protected.
Tunnel mode TCP checksums MUST be verified. (This is not a
violation to the spirit of <a href="./rfc1122#section-4.2.2.7">section 4.2.2.7 in [RFC1122]</a> because a
checksum is being generated by the sender and verified by the
receiver. That checksum is the integrity over the packet
performed by IPsec.)
In addition an implementation MAY fix any contained protocols that
have been broken by NAT (see <a href="./rfc3715#section-2.1">[RFC3715], section 2.1</a>, case g).
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Transport Mode ESP Encapsulation</span>
BEFORE APPLYING ESP/UDP
----------------------------
IPv4 |orig IP hdr | | |
|(any options)| TCP | Data |
----------------------------
AFTER APPLYING ESP/UDP
-------------------------------------------------------
IPv4 |orig IP hdr | UDP | ESP | | | ESP | ESP|
|(any options)| Hdr | Hdr | TCP | Data | Trailer |Auth|
-------------------------------------------------------
|<----- encrypted ---->|
|<------ authenticated ----->|
1. Ordinary ESP encapsulation procedure is used.
2. A properly formatted UDP header is inserted where shown.
3. The Total Length, Protocol, and Header Checksum (for IPv4) fields
in the IP header are edited to match the resulting IP packet.
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. Transport Mode ESP Decapsulation</span>
1. The UDP header is removed from the packet.
2. The Total Length, Protocol, and Header Checksum (for IPv4) fields
in the new IP header are edited to match the resulting IP packet.
3. Ordinary ESP decapsulation procedure is used.
4. Transport mode decapsulation NAT procedure is used.
<span class="grey">Huttunen, et al. Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc3948">RFC 3948</a> UDP Encapsulation of IPsec ESP Packets January 2005</span>
<span class="h3"><a class="selflink" id="section-3.4" href="#section-3.4">3.4</a>. Tunnel Mode ESP Encapsulation</span>
BEFORE APPLYING ESP/UDP
----------------------------
IPv4 |orig IP hdr | | |
|(any options)| TCP | Data |
----------------------------
AFTER APPLYING ESP/UDP
--------------------------------------------------------------
IPv4 |new h.| UDP | ESP |orig IP hdr | | | ESP | ESP|
|(opts)| Hdr | Hdr |(any options)| TCP | Data | Trailer |Auth|
--------------------------------------------------------------
|<------------ encrypted ----------->|
|<------------- authenticated ------------>|
1. Ordinary ESP encapsulation procedure is used.
2. A properly formatted UDP header is inserted where shown.
3. The Total Length, Protocol, and Header Checksum (for IPv4) fields
in the new IP header are edited to match the resulting IP packet.
<span class="h3"><a class="selflink" id="section-3.5" href="#section-3.5">3.5</a>. Tunnel Mode ESP Decapsulation</span>
1. The UDP header is removed from the packet.
2. The Total Length, Protocol, and Header Checksum (for IPv4) fields
in the new IP header are edited to match the resulting IP packet.
3. Ordinary ESP decapsulation procedure is used.
4. Tunnel mode decapsulation NAT procedure is used.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. NAT Keepalive Procedure</span>
The sole purpose of sending NAT-keepalive packets is to keep NAT
mappings alive for the duration of a connection between the peers
(see <a href="./rfc3715#section-2.2">[RFC3715], Section 2.2</a>, case j). Reception of NAT-keepalive
packets MUST NOT be used to detect whether a connection is live.
A peer MAY send a NAT-keepalive packet if one or more phase I or
phase II SAs exist between the peers, or if such an SA has existed at
most N minutes earlier. N is a locally configurable parameter with a
default value of 5 minutes.
A peer SHOULD send a NAT-keepalive packet if a need for it is
detected according to [<a href="./rfc3947" title=""Negotiation of NAT-Traversal in the IKE"">RFC3947</a>] and if no other packet to the peer
has been sent in M seconds. M is a locally configurable parameter
with a default value of 20 seconds.
<span class="grey">Huttunen, et al. Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc3948">RFC 3948</a> UDP Encapsulation of IPsec ESP Packets January 2005</span>
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Security Considerations</span>
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Tunnel Mode Conflict</span>
Implementors are warned that it is possible for remote peers to
negotiate entries that overlap in an SGW (security gateway), an issue
affecting tunnel mode (see <a href="./rfc3715#section-2.1">[RFC3715], section 2.1</a>, case e).
+----+ \ /
| |-------------|----\
+----+ / \ \
Ari's NAT 1 \
Laptop \
10.1.2.3 \
+----+ \ / \ +----+ +----+
| |-------------|----------+------| |----------| |
+----+ / \ +----+ +----+
Bob's NAT 2 SGW Suzy's
Laptop Server
10.1.2.3
Because SGW will now see two possible SAs that lead to 10.1.2.3, it
can become confused about where to send packets coming from Suzy's
server. Implementors MUST devise ways of preventing this from
occurring.
It is RECOMMENDED that SGW either assign locally unique IP addresses
to Ari's and Bob's laptop (by using a protocol such as DHCP over
IPsec) or use NAT to change Ari's and Bob's laptop source IP
addresses to these locally unique addresses before sending packets
forward to Suzy's server. This covers the "Scaling" criteria of
<a href="./rfc3715#section-3">section 3 in [RFC3715]</a>.
Please see <a href="#appendix-A">Appendix A</a>.
<span class="grey">Huttunen, et al. Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc3948">RFC 3948</a> UDP Encapsulation of IPsec ESP Packets January 2005</span>
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Transport Mode Conflict</span>
Another similar issue may occur in transport mode, with 2 clients,
Ari and Bob, behind the same NAT talking securely to the same server
(see <a href="./rfc3715#section-2.1">[RFC3715], Section 2.1</a>, case e).
Cliff wants to talk in the clear to the same server.
+----+
| |
+----+ \
Ari's \
Laptop \
10.1.2.3 \
+----+ \ / +----+
| |-----+-----------------| |
+----+ / \ +----+
Bob's NAT Server
Laptop /
10.1.2.4 /
/
+----+ /
| |/
+----+
Cliff's
Laptop
10.1.2.5
Now, transport SAs on the server will look like this:
To Ari: Server to NAT, <traffic desc1>, UDP encap <4500, Y>
To Bob: Server to NAT, <traffic desc2>, UDP encap <4500, Z>
Cliff's traffic is in the clear, so there is no SA.
<traffic desc> is the protocol and port information. The UDP encap
ports are the ports used in UDP-encapsulated ESP format of <a href="#section-2.1">section</a>
<a href="#section-2.1">2.1</a>. Y,Z are the dynamic ports assigned by the NAT during the IKE
negotiation. So IKE traffic from Ari's laptop goes out on UDP
<4500,4500>. It reaches the server as UDP <Y,4500>, where Y is the
dynamically assigned port.
If the <traffic desc1> overlaps <traffic desc2>, then simple filter
lookups may not be sufficient to determine which SA has to be used to
send traffic. Implementations MUST handle this situation, either by
disallowing conflicting connections, or by other means.
<span class="grey">Huttunen, et al. Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc3948">RFC 3948</a> UDP Encapsulation of IPsec ESP Packets January 2005</span>
Assume now that Cliff wants to connect to the server in the clear.
This is going to be difficult to configure, as the server already has
a policy (from Server to the NAT's external address) for securing
<traffic desc>. For totally non-overlapping traffic descriptions,
this is possible.
Sample server policy could be as follows:
To Ari: Server to NAT, All UDP, secure
To Bob: Server to NAT, All TCP, secure
To Cliff: Server to NAT, ALL ICMP, clear text
Note that this policy also lets Ari and Bob send cleartext ICMP to
the server.
The server sees all clients behind the NAT as the same IP address, so
setting up different policies for the same traffic descriptor is in
principle impossible.
A problematic example of configuration on the server is as follows:
Server to NAT, TCP, secure (for Ari and Bob)
Server to NAT, TCP, clear (for Cliff)
The server cannot enforce his policy, as it is possible that
misbehaving Bob sends traffic in the clear. This is
indistinguishable from when Cliff sends traffic in the clear. So it
is impossible to guarantee security from some clients behind a NAT,
while allowing clear text from different clients behind the SAME NAT.
If the server's security policy allows this, however, it can do
best-effort security: If the client from behind the NAT initiates
security, his connection will be secured. If he sends in the clear,
the server will still accept that clear text.
For security guarantees, the above problematic scenario MUST NOT be
allowed on servers. For best effort security, this scenario MAY be
used.
Please see <a href="#appendix-A">Appendix A</a>.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. IAB Considerations</span>
The UNSAF [<a href="./rfc3424" title=""IAB Considerations for UNilateral Self-Address Fixing (UNSAF) Across Network Address Translation"">RFC3424</a>] questions are addressed by the IPsec-NAT
compatibility requirements document [<a href="./rfc3715" title=""IPsec-Network Address Translation (NAT) Compatibility Requirements"">RFC3715</a>].
<span class="grey">Huttunen, et al. Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc3948">RFC 3948</a> UDP Encapsulation of IPsec ESP Packets January 2005</span>
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Acknowledgments</span>
Thanks to Tero Kivinen and William Dixon, who contributed actively to
this document.
Thanks to Joern Sierwald, Tamir Zegman, Tatu Ylonen, and Santeri
Paavolainen, who contributed to the early documents about NAT
traversal.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. References</span>
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Normative References</span>
[<a id="ref-RFC0768">RFC0768</a>] Postel, J., "User Datagram Protocol", STD 6, <a href="./rfc768">RFC 768</a>,
August 1980.
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC2401">RFC2401</a>] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", <a href="./rfc2401">RFC 2401</a>, November 1998.
[<a id="ref-RFC2406">RFC2406</a>] Kent, S. and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", <a href="./rfc2406">RFC 2406</a>, November 1998.
[<a id="ref-RFC2409">RFC2409</a>] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", <a href="./rfc2409">RFC 2409</a>, November 1998.
[<a id="ref-RFC3947">RFC3947</a>] Kivinen, T., "Negotiation of NAT-Traversal in the IKE",
<a href="./rfc3947">RFC 3947</a>, January 2005.
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Informative References</span>
[<a id="ref-RFC1122">RFC1122</a>] Braden, R., "Requirements for Internet Hosts -
Communication Layers", STD 3, <a href="./rfc1122">RFC 1122</a>, October 1989.
[<a id="ref-RFC3193">RFC3193</a>] Patel, B., Aboba, B., Dixon, W., Zorn, G., and S. Booth,
"Securing L2TP using IPsec", <a href="./rfc3193">RFC 3193</a>, November 2001.
[<a id="ref-RFC3424">RFC3424</a>] Daigle, L. and IAB, "IAB Considerations for UNilateral
Self-Address Fixing (UNSAF) Across Network Address
Translation", <a href="./rfc3424">RFC 3424</a>, November 2002.
[<a id="ref-RFC3715">RFC3715</a>] Aboba, B. and W. Dixon, "IPsec-Network Address Translation
(NAT) Compatibility Requirements", <a href="./rfc3715">RFC 3715</a>, March 2004.
[<a id="ref-IKEv2">IKEv2</a>] Kaufman, C., <a style="text-decoration: none" href='https://www.google.com/search?sitesearch=datatracker.ietf.org%2Fdoc%2Fhtml%2F&q=inurl:draft-+%22Internet+Key+Exchange+%28IKEv2%29+Protocol%22'>"Internet Key Exchange (IKEv2) Protocol"</a>,
Work in Progress, October 2004.
<span class="grey">Huttunen, et al. Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc3948">RFC 3948</a> UDP Encapsulation of IPsec ESP Packets January 2005</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Clarification of Potential NAT Multiple Client Solutions</span>
This appendix provides clarification about potential solutions to the
problem of multiple clients behind the same NAT simultaneously
connecting to the same destination IP address.
Sections <a href="#section-5.1">5.1</a> and <a href="#section-5.2">5.2</a> say that you MUST avoid this problem. As this
is not a matter of wire protocol, but a matter local implementation,
the mechanisms do not belong in the protocol specification itself.
They are instead listed in this appendix.
Choosing an option will likely depend on the scenarios for which one
uses/supports IPsec NAT-T. This list is not meant to be exhaustive,
so other solutions may exist. We first describe the generic choices
that solve the problem for all upper-layer protocols.
Generic choices for ESP transport mode:
Tr1) Implement a built-in NAT (network address translation) above
IPsec decapsulation.
Tr2) Implement a built-in NAPT (network address port translation)
above IPsec decapsulation.
Tr3) An initiator may decide not to request transport mode once NAT
is detected and may instead request a tunnel-mode SA. This may be a
retry after transport mode is denied by the responder, or the
initiator may choose to propose a tunnel SA initially. This is no
more difficult than knowing whether to propose transport mode or
tunnel mode without NAT. If for some reason the responder prefers or
requires tunnel mode for NAT traversal, it must reject the quick mode
SA proposal for transport mode.
Generic choices for ESP tunnel mode:
Tn1) Same as Tr1.
Tn2) Same as Tr2.
Tn3) This option is possible if an initiator can be assigned an
address through its tunnel SA, with the responder using DHCP. The
initiator may initially request an internal address via the
DHCP-IPsec method, regardless of whether it knows it is behind a NAT.
It may re-initiate an IKE quick mode negotiation for DHCP tunnel SA
after the responder fails the quick mode SA transport mode proposal.
This happens either when a NAT-OA payload is sent or because it
<span class="grey">Huttunen, et al. Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc3948">RFC 3948</a> UDP Encapsulation of IPsec ESP Packets January 2005</span>
discovers from NAT-D that the initiator is behind a NAT and its local
configuration/policy will only accept a NAT connection when being
assigned an address through DHCP-IPsec.
There are also implementation choices that offer limited
interoperability. Implementors should specify which applications or
protocols should work if these options are selected. Note that
neither Tr4 nor Tn4, as described below, are expected to work with
TCP traffic.
Limited interoperability choices for ESP transport mode:
Tr4) Implement upper-layer protocol awareness of the inbound and
outbound IPsec SA so that it doesn't use the source IP and the source
port as the session identifier (e.g., an L2TP session ID mapped to
the IPsec SA pair that doesn't use the UDP source port or the source
IP address for peer uniqueness).
Tr5) Implement application integration with IKE initiation so that it
can rebind to a different source port if the IKE quick mode SA
proposal is rejected by the responder; then it can repropose the new
QM selector.
Limited interoperability choices for ESP tunnel mode:
Tn4) Same as Tr4.
<span class="grey">Huttunen, et al. Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc3948">RFC 3948</a> UDP Encapsulation of IPsec ESP Packets January 2005</span>
Authors' Addresses
Ari Huttunen
F-Secure Corporation
Tammasaarenkatu 7
HELSINKI FIN-00181
FI
EMail: Ari.Huttunen@F-Secure.com
Brian Swander
Microsoft
One Microsoft Way
Redmond, WA 98052
US
EMail: briansw@microsoft.com
Victor Volpe
Cisco Systems
124 Grove Street
Suite 205
Franklin, MA 02038
US
EMail: vvolpe@cisco.com
Larry DiBurro
Nortel Networks
80 Central Street
Boxborough, MA 01719
US
EMail: ldiburro@nortelnetworks.com
Markus Stenberg
FI
EMail: markus.stenberg@iki.fi
<span class="grey">Huttunen, et al. Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc3948">RFC 3948</a> UDP Encapsulation of IPsec ESP Packets January 2005</span>
Full Copyright Statement
Copyright (C) The Internet Society (2005).
This document is subject to the rights, licenses and restrictions
contained in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a>, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the IETF's procedures with respect to rights in IETF Documents can
be found in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and <a href="https://www.rfc-editor.org/bcp/bcp79">BCP 79</a>.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
<a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Huttunen, et al. Standards Track [Page 15]
</pre>
|
