1 IP Security Protocol Working Group (IPSEC) T. Kivinen
2 INTERNET-DRAFT SSH Communications Security
3 draft-ietf-ipsec-nat-t-ike-03.txt A. Huttunen
4 Expires: 24 December 2002 F- Secure Corporation
13 Negotiation of NAT-Traversal in the IKE
17 This document is a submission to the IETF IP Security Protocol
18 (IPSEC) Working Group. Comments are solicited and should be
19 addressed to the working group mailing list (ipsec@lists.tislabs.com)
22 This document is an Internet-Draft and is in full conformance
23 with all provisions of Section 10 of RFC2026.
25 Internet-Drafts are working documents of the Internet Engineering
26 Task Force (IETF), its areas, and its working groups. Note that
27 other groups may also distribute working documents as
30 Internet-Drafts are draft documents valid for a maximum of six
31 months and may be updated, replaced, or obsoleted by other
32 documents at any time. It is inappropriate to use Internet-
33 Drafts as reference material or to cite them other than as
36 The list of current Internet-Drafts can be accessed at
37 http://www.ietf.org/ietf/1id-abstracts.txt
39 The list of Internet-Draft Shadow Directories can be accessed at
40 http://www.ietf.org/shadow.html.
44 This document describes how to detect one or more NATs between IPsec
45 hosts, and how to negotiate the use of UDP encapsulation of the IPsec
46 packets through the NAT boxes in IKE.
58 T. Kivinen, et. al. [page 1]
60 INTERNET-DRAFT 24 June 2002
64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 2
65 2. Specification of Requirements . . . . . . . . . . . . . . . . . 2
66 3. Phase 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
67 3.1. Detecting support of Nat-Traversal . . . . . . . . . . . . . 3
68 3.2. Detecting presence of NAT . . . . . . . . . . . . . . . . . 3
69 4. Floating to the new ports . . . . . . . . . . . . . . . . . . . 5
70 5. Quick Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
71 5.1. Negotiation of the NAT-Traversal encapsulation . . . . . . . 7
72 5.2. Sending the original source address . . . . . . . . . . . . 8
73 6. Initial contact notifications . . . . . . . . . . . . . . . . . 8
74 7. Recovering from the expiring NAT mappings . . . . . . . . . . . 9
75 8. Security Considerations . . . . . . . . . . . . . . . . . . . . 9
76 9. Intellectual property rights . . . . . . . . . . . . . . . . . . 10
77 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 10
78 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
79 12. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 11
85 This document is split in two parts. The first part describes what is
86 needed in the IKE phase 1 for the NAT-Traversal support. This includes
87 detecting if the other end supports NAT-Traversal, and detecting if
88 there is one or more NAT along the path from host to host.
90 The second part describes how to negotiate the use of UDP encapsulated
91 IPsec packets in the IKE Quick Mode. It also describes how to transmit
92 the original source address to the other end if needed. The original
93 source address can be used to incrementally update the TCP/IP checksums
94 so that they will match after the NAT transform (The NAT cannot do this,
95 because the TCP/IP checksum is inside the UDP encapsulated IPsec
98 The document [Hutt02] describes the details of the UDP encapsulation and
99 the document [Dixon01] provides background information and motivation of
100 the NAT-Traversal in general.
102 2. Specification of Requirements
104 This document shall use the keywords "MUST", "MUST NOT", "REQUIRED",
105 "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED, "MAY", and
106 "OPTIONAL" to describe requirements. They are to be interpreted as
107 described in [RFC-2119] document.
111 The detection of the support for the NAT-Traversal and detection of the
112 NAT along the path happens in the IKE [RFC-2409] phase 1.
114 The NAT is supposed to float the IKE UDP port, and recipients MUST be
117 T. Kivinen, et. al. [page 2]
119 INTERNET-DRAFT 24 June 2002
121 able to process IKE packets whose source port is different than 500.
122 There are cases where the NAT does not have to float the source port
123 (only one (IPsec) host behind the NAT or for the first IPsec host it can
124 keep the port 500, and float only the following IPsec hosts).
126 Recipients MUST reply back to the source address from the packet. This
127 also means that when the original responder is doing rekeying, or
128 sending notifications etc. to the original initiator it MUST send the
129 packets from the same set of port and IP numbers that was used when the
130 IKE SA was last time used (i.e the source and destination port and IP
131 numbers must be same).
133 For example the initiator sends packet having source and destination
134 port 500, the NAT changes that to such packet which have source port
135 12312 and destination port 500, the responder must be able to process
136 the packet whose source address is that 12312 and it must reply back
137 with packet whose source address is 500 and destination address 12312,
138 the NAT will then translate this packet to have source address 500 and
139 destination address 500.
141 3.1. Detecting support of Nat-Traversal
143 The NAT-Traversal capability of the remote host is determined by an
144 exchange of vendor strings; in Phase 1 two first messages, the vendor id
145 payload for this specification of NAT-Traversal (MD5 hash of "draft-
146 ietf-ipsec-nat-t-ike-03" - ["7d9419a6 5310ca6f 2c179d92 15529d56"]) MUST
147 be sent if supported (and it MUST be received by both sides) for the
148 NAT-Traversal probe to continue.
150 3.2. Detecting presence of NAT
152 The purpose of the NAT-D payload is twofold, It not only detects the
153 presence of NAT between two IKE peers, it also detects where the NAT is.
154 The location of the NAT device is important in that the keepalives need
155 to initiate from the peer "behind" the NAT.
157 To detect the NAT between the two hosts, we need to detect if the IP
158 address or the port changes along the path. This is done by sending the
159 hashes of IP address and port of both source and destination addresses
160 from each end to another. When both ends calculate those hashes and get
161 same result they know there is no NAT between. If the hashes do not
162 match, somebody translated the address or port between, meaning we need
163 to do NAT-Traversal to get IPsec packet through.
165 If the sender of the packet does not know his own IP address (in case of
166 multiple interfaces, and implementation don't know which is used to
167 route the packet out), he can include multiple local hashes to the
168 packet (as separate NAT-D payloads). In this case the NAT is detected if
169 and only if none of the hashes match.
171 The hashes are sent as a series of NAT-D (NAT discovery) payloads. Each
172 payload contains one hash, so in case of multiple hashes, multiple NAT-D
173 payloads are sent. In normal case there is only two NAT-D payloads.
176 T. Kivinen, et. al. [page 3]
178 INTERNET-DRAFT 24 June 2002
180 The NAT-D payloads are included in the third and fourth packet in the
181 main mode and second and third packet in the aggressive mode.
183 The format of the NAT-D packet is
185 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
186 +---------------+---------------+---------------+---------------+
187 | Next Payload | RESERVED | Payload length |
188 +---------------+---------------+---------------+---------------+
189 ~ HASH of the address and port ~
190 +---------------+---------------+---------------+---------------+
192 The payload type for the NAT discovery payload is 130 (XXX CHANGE).
194 The HASH is calculated as follows:
196 HASH = HASH(CKY-I | CKY-R | IP | Port)
198 using the negotiated HASH algorithm. All data inside the HASH is in the
199 network byte-order. The IP is 4 octets for the IPv4 address and 16
200 octets for the IPv6 address. The port number is encoded as 2 octet
201 number in network byte-order. The first NAT-D payload contains the
202 remote ends IP address and port (i.e the destination address of the UDP
203 packet). The rest of the NAT-D payloads contain possible local end IP
204 addresses and ports (i.e all possible source addresses of the UDP
207 If there is no NAT between then the first NAT-D payload should match one
208 of the local NAT-D packet (i.e the local NAT-D payloads this host is
209 sending out), and the one of the other NAT-D payloads must match the
210 remote ends IP address and port. If the first check fails (i.e first
211 NAT-D payload does not match any of the local IP addresses and ports),
212 then it means that there is dynamic NAT between, and this end should
213 start sending keepalives as defined in the [Hutt02].
215 The CKY-I and CKY-R are the initiator and responder cookies, and they
216 are added to the hash to make precomputation attacks for the IP address
219 An example of phase 1 exchange using NAT-Traversal in main mode
220 (authentication with signatures) is:
223 ------------ ------------
226 HDR, KE, Ni, NAT-D, NAT-D -->
227 <-- HDR, KE, Nr, NAT-D, NAT-D
228 HDR*#, IDii, [CERT, ] SIG_I -->
229 <-- HDR*#, IDir, [ CERT, ], SIG_R
231 An example of phase 1 exchange using NAT-Traversal in aggressive mode
232 (authentication with signatures) is:
235 T. Kivinen, et. al. [page 4]
237 INTERNET-DRAFT 24 June 2002
240 ------------ ------------
241 HDR, SA, KE, Ni, IDii, VID -->
242 <-- HDR, SA, KE, Nr, IDir,
243 [CERT, ], VID, NAT-D,
245 HDR*#, [CERT, ], NAT-D, NAT-D,
248 The '#' sign identifies that those packets are sent to the floated port
251 4. Floating to the new ports
253 IPsec-aware NATs can cause problems. Some NATs will not float IKE source
254 port 500 even if there are multiple clients behind the NAT. They can
255 also map IKE cookies to demultiplex traffic instead of using the source
256 port. Both of these are problematic for generic NAT transparency since
257 it is difficult for IKE to discover the capabilities of the NAT. The
258 best approach is to simply move the IKE traffic off port 500 as soon as
259 possible to avoid any IPsec-aware NAT special casing. Moving IKE from
260 port 500 to port 4500 is known as port floating.
262 Take the common case of the initiator behind the NAT. The initiator must
263 quickly float to 4500 once the NAT has been detected to minimize the
264 window of IPsec-aware NAT problems.
266 In main mode, the initiator MUST float on the ID payload if there is NAT
267 between the hosts. The initiator MUST set both UDP source and
268 destination ports to 4500. All subsequent packets sent to this peer
269 (including informationals) MUST be sent on 4500. In addition, the IKE
270 data MUST be prepended with a non-ESP marker allowing for demultiplexing
271 of traffic as defined in [Hutt02].
273 Thus, the IKE packet now looks like:
275 IP UDP(4500,4500) <non-ESP marker> HDR*, IDii, [CERT, ] SIG_I
277 assuming authentication using signatures. The 4 bytes of non-ESP marker
278 is defined in the [Hutt02].
280 When the responder gets this packet he performs the usual decryption and
281 processing of the various payloads. If this is successful, he MUST
282 update local state so that all subsequent packets (including
283 informationals) to the peer use the new port, and possibly new IP
284 address obtained from the incoming valid packet. The port will generally
285 be different since the NAT will map UDP(500,500) to UDP(X,500), and
286 UDP(4500,4500) to UDP(Y,4500). The IP address will seldom be different
287 from the pre-float IP address. The responder MUST respond with all
288 subsequent IKE packets to this peer using UDP(4500,Y).
290 Similarly, if the responder needs to rekey the phase 1 SA, then he MUST
291 start the negotiation using UDP(4500,Y). Any implementation that
294 T. Kivinen, et. al. [page 5]
296 INTERNET-DRAFT 24 June 2002
298 supports NAT traversal, MUST support negotiations that begin on port
299 4500. If a negotiation starts on 4500, then it doesn't need to float
300 anywhere else in the exchange.
302 Once floating has occurred, if a packet is received on 500, that packet
303 is old. If the packet is an informational, it MAY be processed if local
304 policy allows. If the packet is a main mode or aggressive mode packet,
305 it SHOULD be discarded.
307 Here is an example of phase 1 exchange using NAT-Traversal in main mode
308 (authentication with signatures) with port floating:
311 ------------ ------------
312 UDP(500,500) HDR, SA, VID -->
313 <-- UDP(500,X) HDR, SA, VID
314 UDP(500,500) HDR, KE, Ni,
316 <-- UDP(500,X) HDR, KE, Nr,
318 UDP(4500,4500) HDR*#, IDii,
320 <-- UDP(4500,Y) HDR*#, IDir,
323 The floating algorithm for aggressive mode is very similar. After the
324 NAT has been detected, the initiator sends: IP UDP(4500,4500) <4 bytes
325 of non-ESP marker> HDR*, [CERT, ], NAT-D, NAT-D, SIG_I The responder
326 does similar processing to the above, and if successful, MUST update his
327 internal IKE ports. The responder MUST respond with all subsequent IKE
328 packets to this peer using UDP(4500,Y).
331 ------------ ------------
333 UDP(500,500) HDR, SA, KE,
335 <-- UDP(500,X) HDR, SA, KE,
339 UDP(4500,4500) HDR*#, [CERT, ],
343 <-- UDP(4500, Y) HDR*#, ...
345 While floating, the port in the ID payload in Main Mode/Aggressive Mode
348 The most common case for the responder behind the NAT is if the NAT is
349 simply doing 1-1 address translation. In this case, the initiator still
350 floats both ports to 4500. The responder uses the identical algorithm
353 T. Kivinen, et. al. [page 6]
355 INTERNET-DRAFT 24 June 2002
357 as above, although in this case, Y will equal 4500, since no port
358 translation is happening.
360 A different floating case involves out-of-band discovery of the ports to
361 use. For instance, if the responder is behind a port translating NAT,
362 and the initiator needs to contact it first, then the initiator will
363 need to determine which ports to use, usually by contacting some other
364 server. Once the initiator knows which ports to use to traverse the NAT,
365 generally something like UDP(Z,4500), he initiates using these ports.
366 This is similar to the responder rekey case above in that the ports to
367 use are already known upfront, and no additional floating need take
370 Also the first keepalive timer starts after floating to new port, no
371 keepalives are sent to the port 500 mapping.
375 After the Phase 1 both ends know if there is a NAT present between. The
376 final decision of using the NAT-Traversal is left to the quick mode. The
377 use of NAT-Traversal is negotiated inside the SA payloads of the quick
378 mode. In the quick mode both ends can also send the original source
379 addresses of the IPsec packets (in case of the transport mode) to the
380 other, end so the other end has possibility to fix the TCP/IP checksum
381 field after the NAT transform.
383 This sending of the original source address is optional, and it is not
384 useful in the UDP-Encapsulated-Tunnel mode, as there is going to be
385 proper IP header inside the UDP-Encapsulated packet. In case of only
386 UDP-Encapsulated-Tunnel mode is negotiation then both ends SHOULD NOT
387 send original source address.
388 It also might be unnecessary in the transport mode if the other end can
389 turn off TCP/IP checksum verification. If the sending end knows (for
390 example from the vendor id payload) that the other end can turn off
391 TCP/IP checksum verification, he MAY leave the original source address
392 payload away. Otherwise he SHOULD send the original source address.
394 5.1. Negotiation of the NAT-Traversal encapsulation
396 The negotiation of the NAT-Traversal happens by adding two new
397 encapsulation modes. These encapsulation modes are:
399 UDP-Encapsulated-Tunnel 61443 (XXX CHANGE)
400 UDP-Encapsulated-Transport 61444 (XXX CHANGE)
402 It is not normally useful to propose both normal tunnel or transport
403 mode and UDP-Encapsulated modes. If there is a NAT box between normal
404 tunnel or transport encapsulations may not work, and if there is no NAT
405 box between, there is no point of wasting bandwidth by adding UDP
406 encapsulation of packets. Because of this initiator SHOULD NOT include
407 both normal tunnel or transport mode and UDP-Encapsulated-Tunnel or UDP-
408 Encapsulated-Transport in its proposals.
412 T. Kivinen, et. al. [page 7]
414 INTERNET-DRAFT 24 June 2002
416 5.2. Sending the original source address
418 In case of transport mode both ends SHOULD send the original source
419 address to the other end. For the tunnel mode both ends SHOULD NOT send
420 original source address to the other end.
422 The original source address of packets put to this transport mode IPsec
423 SA is sent to other end using NAT-OA (NAT Original Address) payload.
425 The NAT-OA payloads are sent inside the first and second packets of the
426 quick mode. The initiator SHOULD send the payload if it proposes any
427 UDP-Encapsulated-Transport mode and the responder SHOULD send the
428 payload only if it selected UDP-Encapsulated-Transport mode. I.e it is
429 possible that initiator send the NAT-OA payload, but proposes both UDP-
430 Encapsulated transport and tunnel mode, and then the responder selects
431 the UDP-Encapsulated tunnel mode and do not send NAT-OA payload back.
433 A peer MUST NOT fail a negotiation if it does not receive a NAT-OA
434 payload if the NAT-OA payload only would contain redundant information.
435 I.e. only the machine(s) that are actually behind the NAT need to send
436 the NAT-OA payload. A machine with a public, non-changing IP address
437 doesn't need to send the NAT-OA payload.
439 The format of the NAT-OA packet is
441 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
442 +---------------+---------------+---------------+---------------+
443 | Next Payload | RESERVED | Payload length |
444 +---------------+---------------+---------------+---------------+
445 | ID Type | RESERVED | RESERVED |
446 +---------------+---------------+---------------+---------------+
447 | IPv4 (4 octets) or IPv6 address (16 octets) |
448 +---------------+---------------+---------------+---------------+
450 The payload type for the NAT original address payload is 131 (XXX
453 The ID type is defined in the [RFC-2407]. Only ID_IPV4_ADDR and
454 ID_IPV6_ADDR types are allowed. The two reserved fields after the ID
457 An example of quick mode using NAT-OA payloads is:
460 ------------ ------------
461 HDR*, HASH(1), SA, Ni, [, KE]
462 [, IDci, IDcr ] [, NAT-OA] -->
463 <-- HDR*, HASH(2), SA, Nr, [, KE]
464 [, IDci, IDcr ] [, NAT-OA]
467 6. Initial contact notifications
471 T. Kivinen, et. al. [page 8]
473 INTERNET-DRAFT 24 June 2002
475 The source IP and port address of the INITIAL-CONTACT notification for
476 the host behind NAT are not meaningful, so the IP and port numbers MUST
477 NOT be used for the determine which IKE/IPsec SAs to remove. The ID
478 payload sent from the other SHOULD be used instead. I.e when INITIAL-
479 CONTACT notification is received from the other end, the receiving end
480 SHOULD remove all the SAs associated with the same ID payload.
482 7. Recovering from the expiring NAT mappings
484 There are cases where NAT box decides to remove mappings that are still
485 alive (for example, the keepalive interval is too long, or the NAT box
486 is rebooted). To recover from those ends which are NOT behind NAT SHOULD
487 use the last valid authenticated packet from the other end to determine
488 which IP and port addresses the should be used. The host behind dynamic
489 NAT MUST NOT do this as otherwise it opens DoS attack possibility, and
490 there is no need for that, because the IP address or port of other host
491 will not change (it is not behind NAT).
492 Keepalives cannot be used for this purposes as they are not
493 authenticated, but any IKE authenticated IKE packet or ESP packet can be
494 used to notice that the IP address or the port has changed.
496 8. Security Considerations
498 Whenever changes to some fundamental parts of a security protocol are
499 proposed, the examination of security implications cannot be skipped.
500 Therefore, here are some observations on the effects, and whether or not
501 these effects matter.
503 o IKE probe reveals NAT-Traversal support to everyone. This should not
506 o The value of authentication mechanisms based on IP addresses
507 disappears once NATs are in the picture. That is not necessarily a
508 bad thing (for any real security, other authentication measures than
509 IP addresses should be used). This means that pre-shared-keys
510 authentication cannot be used with the main mode without group shared
511 keys for everybody behind the NAT box, which is huge security risk.
512 Use of group shared keys is NOT RECOMMENDED.
514 o As the internal address space is only 32 bits, and it is usually very
515 sparse, it might be possible for the attacker to find out the
516 internal address used behind the NAT box by trying all possible IP-
517 addresses and trying to find the matching hash. The port numbers are
518 normally fixed to 500, and the cookies can be extracted from the
519 packet. This limits the hash calculations down to 2^32. If educated
520 guess of use of private address space is done, then the number of
521 hash calculations needed to find out the internal IP address goes
522 down to the 2^24 + 2 * (2^16).
524 o Neither NAT-D payloads or Vendor ID payloads are authenticated at all
525 in the main mode nor in the aggressive mode. This means that attacker
526 can remove those payloads, modify them or add them. By removing or
527 adding them the attacker can cause Denial Of Service attacks. By
530 T. Kivinen, et. al. [page 9]
532 INTERNET-DRAFT 24 June 2002
534 modifying the NAT-D packets the attacker can cause both ends to use
535 UDP-Encapsulated modes instead of directly using tunnel or transport
536 mode, thus wasting some bandwidth.
538 o The sending of the original source address in the Quick Mode reveals
539 the internal IP address behind the NAT to the other end. In this case
540 we have already authenticated the other end, and sending of the
541 original source address is only needed in transport mode.
543 o Updating the IKE SA / ESP UDP encapsulation IP addresses and ports
544 for each valid authenticated packet can cause DoS in case we have
545 attacker who can listen all traffic in the network, and can change
546 the order of the packet and inject new packets before the packet he
547 has already seen. I.e attacker can take the authenticated packet from
548 the host behind NAT, change the packet UDP source or destination
549 ports or IP addresses and sent it out to the other end before the
550 real packet reaches there. The host not behind the NAT will update
551 its IP address and port mapping and sends further traffic to wrong
552 host or port. This situation is fixed immediately when the attacker
553 stops modifying the packets as the first real packet will fix the
554 situation back to normal. Implementations MAY print out warning every
555 time the mapping is changed, as in normal case it should not happen
558 9. Intellectual property rights
560 The IETF has been notified of intellectual property rights claimed in
561 regard to some or all of the specification contained in this document.
562 For more information consult the online list of claimed rights.
564 SSH Communications Security Corp has notified the working group of one
565 or more patents or patent applications that may be relevant to this
566 internet-draft. SSH Communications Security Corp has already given a
567 license for those patents to the IETF. For more information consult the
568 online list of claimed rights.
572 Thanks to Markus Stenberg, Larry DiBurro and William Dixon who
573 contributed actively to this document.
575 Thanks to Tatu Ylonen, Santeri Paavolainen, and Joern Sierwald who
576 contributed to the drafts used as base for this document.
580 [RFC-2409] Harkins D., Carrel D., "The Internet Key Exchange (IKE)",
583 [RFC-2407] Piper D., "The Internet IP Security Domain Of Interpretation
584 for ISAKMP", November 1998
586 [RFC-2119] Bradner, S., "Key words for use in RFCs to indicate
589 T. Kivinen, et. al. [page 10]
591 INTERNET-DRAFT 24 June 2002
593 Requirement Levels", March 1997
595 [Hutt02] Huttunen, A. et. al., "UDP Encapsulation of IPsec Packets",
596 draft-ietf-ipsec-udp-encaps-03.txt, June 2002
598 [Dixon01] Dixon, W. et. al., "IPSec over NAT Justification for UDP
599 Encapsulation", draft-ietf-ipsec-udp-encaps-justification-00.txt, June
602 12. Authors' Addresses
605 SSH Communications Security Corp
609 E-mail: kivinen@ssh.fi
616 E-mail: Ari.Huttunen@F-Secure.com
622 E-mail: briansw@microsoft.com
629 E-mail: vvolpe@cisco.com
647 T. Kivinen, et. al. [page 11]
650 SSH Communications Security http://www.ssh.fi/
651 SSH IPSEC Toolkit http://www.ssh.fi/ipsec/