Information Technology Reference
In-Depth Information
NAT devices are determined by sending NAT-D (NAT Discovery) packets. Both
end points send hashes of the source and destination IP addresses and ports they are
aware of. If these hashes do not match, indicating that the IP address and ports are not
the same, then the VPN devices know a NAT device exists somewhere in between.
All NAT Traversal communications occur over UDP port 500. This works great
because port 500 is already open for IKE communications in IPsec VPNs, so new
holes do not need to be opened in the corporate firewall.
NAT Traversal is the long-awaited solution to one of the major issues with IPsec
VPNs, but it does not solve everyone's problems.
NAT-T (NAT Traversal) has the following limitations:
1.
NAT-T imposes approximately 200 bytes of overhead during IKE negotiation and
about 20 bytes of additional overhead for each packet. Depending on the amount of
available bandwidth and processing power, the difference in throughput may in
some instances be measurable.
Because AH transforms actually authenticate packet header as well as packet pay-
loads, and because NAT Traversal provides a mechanism by which packet headers
can be modified in transit, AH and NAT-T do not function together; NAT-T oper-
ates only on ESP-transformed packets.
Because of this authentication deficiency, the trust level between hosts using NAT-
T is greatly reduced; NAT-T should not be used when the greatest level of host-
based authentication is required.
2.
NAT-T works only when the IKE initiator is the system behind the NAT box. An
IKE responder cannot be behind a NAT box unless the box has been programmed
to forward IKE packets to the appropriate individual system behind the box [31].
3.
The NAT box does not use special processing rules. A NAT box with special IPsec
processing rules might interfere with the implementation of NAT-T [31].
Next, we shall present our solution for assuring the end-to-end security using IPsec
in the NAT/DHCP environment.
4 Proposed Solution
Because of the inherent limitations of current solutions proposed for the NAT-IPsec
compatibility problem, it proves to be necessary to find solution answering effectively
this legitimate security preoccupation.
Given that IKE can be used to setup dynamic IPsec associations, we propose a new
way of making IPsec work through a NAT function. This solution is built upon [6, 32]
and [8], works previously published.
Before developing our proposition, the following section starts with an overview of
E-DHCP (Extended-Dynamic Host Configuration Protocol) solution then the IKE
protocol issue at NAT environment.
4.1 Overview of E-DHCP
The DHCP (Dynamic Host Configuration Protocol) [8] provides a framework for
passing configuration information to hosts on a TCP/IP network.
