Firewall Wizards mailing list archives

Re: NAT

From: Paul Sangster <sangster () reston ans net>
Date: Thu, 18 Jun 1998 08:48:21 -0400

On Wed, Jun 17, 1998 at 12:01:18PM -0700, Ryan Russell wrote:


Key management is one problem with NAT, but I'll leave that alone
for the moment.

I'm under the impression that if the IP header of an IPSec packet
gets modified, the packet will get rejected because IP addresses
are part of what's checked for in authentication mode.  I'm also
assuming that authentication mode is wanted/needed when doing
VPN applications.


Not every mode of IPSEC authenticates the outermost IP header, thus
preventing external NAT.  If the VPN nodes are using ESP in tunnel
mode with authentication (for instance) the new outer IP header is
not protected by the authenticator so it can be changed in transit.
Here's the packet diagram from the specs:

                 BEFORE APPLYING ESP
            ----------------------------
      IPv4  |orig IP hdr  |     |      |
            |(any options)| TCP | Data |
            ----------------------------
 
                 AFTER APPLYING ESP TUNNEL
            -----------------------------------------------------------
      IPv4  | new IP hdr* |     | orig IP hdr*  |   |    | ESP   | ESP|
            |(any options)| ESP | (any options) |TCP|Data|Trailer|Auth|
            -----------------------------------------------------------
                                |<--------- encrypted ---------->|
                          |<----------- authenticated ---------->|

However, using AH whose goal is to protect the outer IP header from
in transit modifications will not allow NAT tampering.  Notice its
authenticator covers the entire packet:

                 AFTER APPLYING AH TUNNEL
            ------------------------------------------------
      IPv4  | new IP hdr* |    | orig IP hdr*  |    |      |
            |(any options)| AH | (any options) |TCP | Data |
            ------------------------------------------------
            |<- authenticated except for mutable fields -->|
            |           in the new IP hdr                  |

I think the most flexible solutions will provide IPSEC and NAT on the
same nodes so as to allow NATing the addresses just before the packet
gets authenticated.  Even this won't deal with all the 'real world'
NAT issues, hopefully the combination of the fact that creating
tunnels itself causes a source NAT to occur (all tunnel protected packets
has a new source of the IPSEC node) and the potential to use NAT boxes
inside the VPN links can solve many problems.


The problem I'm concerned with is remote-access type VPN
applications.  This is where I send users running around the world
with a piece of software on their laptops, and they get whatever
kind of Internet access they can.  This would include sitting
on someone else's net, and going out through their firewall.
I think the IPSec method of transport is going to have limited
value in those situations, and we'll need something simpler
for a transport, like a TCP connection.


Depends on the remote sites security policies.  If the remote customers
isn't willing to let unrestricted tunnel come out of their network (such 
as an IPSEC or other tunneling protocol) then your right.  In fact I
suspect many firewalls won't be able to pass IPSEC packets anyway unless 
they support IPSEC to begin with as AH and ESP are IP level protocols (AKA
don't ride on TCP or UDP).  Of course the packet filter type firewalls
are good at blindly passing protocols so they'll be able to do it :).

Paul


Rick Smith <rick_smith () securecomputing com> on 06/17/98 11:49:16 AM

To:   Ryan Russell/SYBASE
cc:   Tina Bird <tbird () iegroup com>, "'firewall-wizards () nfr net'"
      <firewall-wizards () nfr net>
Subject:  Re: NAT




At 09:53 AM 6/17/98 -0700, Ryan Russell wrote:


Your first paragraph clears it up, thanks.  If the IPSec happens
after NAT, it makes perfect sense.  When one wants to use
NAT with IPSec, then the device doing NAT would have to participate
in the IPSec connection.


Why couldn't you put an outboard IPSEC box between the external network and
the box performing NAT? Again, the IPSEC implentation would only see the
translated addresses.

That would imply that one couldn't get an IPSec connection
through a box that did NAT/proxy when that box didn't
participate in the connection.  I think that's going to be
a major problem for IPSec based VPN soultions.


I generally think of VPN solutions as providing protection to traffic
*outside* a site, so I don't see a problem here. The NAT box sits at the
site boundary.

But if there's a requirement for end to end IPSEC crypto, then NAT would
throw a large and nasty monkey wrench in the middle. Perhaps you were
alluding to in your last message: NAT leaves you nothing to hand a security
association on when you're configuring the system. If you're using ISAKMP,
there's no mechanism to pass your key negotiation through to the endpoint
host. Even then, some ISAKMP modes only work if you have predictable IP
addresses.

Rick.
smith () securecomputing com


Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998)) with SMTP id 88256626.0067DEA6;
Wed, 17 Jun 1998 11:54:32 -0700
Received: from smtp1.sybase.com (smtp1 [130.214.220.35])
          by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
       id LAA25949 for <Ryan_Russell@tunnel-w>; Wed, 17 Jun 1998 11:52:14
-0700 (PDT)
Received: from halon.sybase.com by smtp1.sybase.com
(4.1/SMI-4.1/SybH3.5-030896)
     id AA12782; Wed, 17 Jun 98 11:52:13 PDT
Received: from beach.sctc.com (beach.sctc.com [192.55.214.50])
          by halon.sybase.com (8.8.4/8.8.4) with ESMTP
       id LAA12366 for <ryanr () sybase com>; Wed, 17 Jun 1998 11:52:04 -0700
(PDT)
Received: from beach.sctc.com (root@localhost)
     by beach.sctc.com with ESMTP id NAA11320;
     Wed, 17 Jun 1998 13:53:28 -0500 (CDT)
Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3])
     by beach.sctc.com with ESMTP id NAA11316;
     Wed, 17 Jun 1998 13:53:27 -0500 (CDT)
Received: from shade.sctc.com (shade.sctc.com [172.17.192.48])
     by sphinx.sctc.com (8.8.5/8.8.5) with SMTP id NAA22754;
     Wed, 17 Jun 1998 13:53:07 -0500 (CDT)
Received: from bowtie (bowtie.sctc.com [172.17.65.169]) by shade.sctc.com
(8.6.12/8.6.9) with SMTP id NAA14232; Wed, 17 Jun 1998 13:53:06 -0500
Message-Id: <3.0.3.32.19980617134916.00924b10 () mailhost sctc com>
X-Sender: smith () mailhost sctc com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Wed, 17 Jun 1998 13:49:16 -0500
To: "Ryan Russell" <ryanr () sybase com>
From: Rick Smith <rick_smith () securecomputing com>
Subject: Re: NAT
Cc: Tina Bird <tbird () iegroup com>,
        "'firewall-wizards () nfr net'" <firewall-wizards () nfr net>
In-Reply-To: <88256626.005C3DA0.00 () gwwest sybase com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"


-- 
_______________________________________________________________________
                            Paul Sangster 
 ANS Communications                       Senior Software Engineer
 1875 Campus Commons Dr.                  sangster () reston ans net
 Suite 220,  Reston VA 22091              http://www.ans.net/InterLock
_______________________________________________________________________

Attachment: _bin
Description:

Current thread:

RE: NAT, (continued)
- RE: NAT Burden, James (Jun 12)
  - Re: NAT Tina Bird (Jun 13)
- Re: NAT Ryan Russell (Jun 15)
  - Re: NAT Rick Smith (Jun 17)
- RE: NAT Burden, James (Jun 16)
  - Re: NAT Tina Bird (Jun 17)
- Re: NAT Ryan Russell (Jun 17)
  - Re: NAT Rick Smith (Jun 17)
- Re: NAT Ryan Russell (Jun 17)
  - Re: NAT Rick Smith (Jun 17)
  - Re: NAT Paul Sangster (Jun 18)
- Re: NAT Ryan Russell (Jun 17)