Information Technology Reference
In-Depth Information
A Secure Way to Combine IPsec, NAT & DHCP
Jacques Demerjian
1
, Ibrahim Hajjeh
2
, Mohamad Badra
3
, and Salim Ferraz
4
1
GET-Télécom Paris, 46 Rue Barrault 75013 Paris, France
demerjia@enst.fr
2
ESRGroups, 17-19 Rue Barrault 75013 Paris, France
ibrahim.hajjeh@esrgroups.org
3
UQAM, H3C 3P8 Montréal, Canada
mohamad.badra@
uqam.ca
4
LIP6, 8 Rue du Capitaine Scott 75015 Paris, France
salim.ferraz@etu.upmc.fr
Abstract.
This paper examines the use of NAT with IPsec as a transparent se-
curity mechanism. It discusses the security needs and solutions that define how
to combine IPsec and NAT. Because of the inherent limitations of current pro-
posed solutions, this paper proposes an end-to-end security architecture using
IPsec in the NAT/DHCP environment with a formal validation to the proposed
architecture using an automatic
protocol analyser
called Hermes. This paper is
builds upon works previously published.
1 Introduction
NAT (Network Address Translation) [30] is widely used in security architectures. It
was originally developed as an interim solution to combat IPv4 [27] address depletion
by allowing globally registered IP addresses to be re-used or shared by several hosts
[24]. NAT provides transparent routing mechanism to end hosts trying to communi-
cate from disparate address realms, by modifying IP and transport headers en-route.
By providing this mechanism, NAT has become of vital importance in the implemen-
tation of network security.
The use of NAT has been the savior as well as the doom-maker for IP network de-
ployment. At the same time that it solved address space issues and enabled the de-
ployment of private IP networks, favoring address reuse, it has introduced major is-
sues, breaking some of Internet's protocols and applications. IPsec (IP Security) [18]
might be considered one of the main protocols that NAT has broken, even if there are
currently solutions in order to "make" IPsec work when NAT devices are in place, the
truth is, IPsec deployment is seriously hindered. However, IP security end-to-end
from any host to any other host in the Internet is yet far from a reality.
In this paper, we propose a solution for assuring the end-to-end security using IP-
sec in the NAT/DHCP [8] environment. This solution is built upon [6, 7] and [32],
works previously published.
The remainder of this paper is structured as follows: Section 2 describes known in-
compatibilities between NAT and IPsec, section 3 explores some existing solutions
that define how to combine IPsec and NAT, and exposes their limits. Section 4 illus-
