| blob | 94bcba0eb16813760023780e90a5edba79dfed0e |
7 Network Working Group T. Kivinen
8 Request for Comments: 3947 SafeNet
9 Category: Standards Track B. Swander
10 Microsoft
11 A. Huttunen
12 F-Secure Corporation
13 V. Volpe
14 Cisco Systems
15 January 2005
18 Negotiation of NAT-Traversal in the IKE
20 Status of this Memo
22 This document specifies an Internet standards track protocol for the
23 Internet community, and requests discussion and suggestions for
24 improvements. Please refer to the current edition of the "Internet
25 Official Protocol Standards" (STD 1) for the standardization state
26 and status of this protocol. Distribution of this memo is unlimited.
28 Copyright Notice
30 Copyright (C) The Internet Society (2005).
32 Abstract
34 This document describes how to detect one or more network address
35 translation devices (NATs) between IPsec hosts, and how to negotiate
36 the use of UDP encapsulation of IPsec packets through NAT boxes in
37 Internet Key Exchange (IKE).
58 Kivinen, et al. Standards Track [Page 1]
59 \f
60 RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005
63 Table of Contents
65 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . 2
66 2. Specification of Requirements . . . . . . . . . . . . . . . . . 3
67 3. Phase 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
68 3.1. Detecting Support of NAT-Traversal. . . . . . . . . . . . 4
69 3.2. Detecting the Presence of NAT . . . . . . . . . . . . . . 4
70 4. Changing to New Ports . . . . . . . . . . . . . . . . . . . . . 6
71 5. Quick Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . 8
72 5.1. Negotiation of the NAT-Traversal Encapsulation. . . . . . 9
73 5.2. Sending the Original Source and Destination Addresses . . 9
74 6. Initial Contact Notifications. . . . . . . . . . . . . . . . . 11
75 7. Recovering from the Expiring NAT Mappings. . . . . . . . . . . 11
76 8. Security Considerations. . . . . . . . . . . . . . . . . . . . 12
77 9. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 13
78 10. IAB Considerations . . . . . . . . . . . . . . . . . . . . . . 14
79 11. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 14
80 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
81 12.1. Normative References . . . . . . . . . . . . . . . . . . 14
82 12.2. Informative References . . . . . . . . . . . . . . . . . 14
83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15
84 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 16
86 1. Introduction
88 This document is split into two parts. The first describes what is
89 needed in IKE Phase 1 for NAT-Traversal support. This includes
90 detecting whether the other end supports NAT-Traversal, and detecting
91 whether there is one or more NATs between the peers.
93 The second part describes how to negotiate the use of UDP
94 encapsulated IPsec packets in IKE's Quick Mode. It also describes
95 how to transmit the original source and destination addresses to the
96 peer, if required. These addresses are used in transport mode to
97 update the TCP/IP checksums incrementally so that they will match
98 after the NAT transform. (The NAT cannot do this, because the TCP/IP
99 checksum is inside the UDP encapsulated IPsec packet.)
101 The document [RFC3948] describes the details of UDP encapsulation,
102 and [RFC3715] provides background information and motivation of NAT-
103 Traversal in general. In combination with [RFC3948], this document
104 represents an "unconditionally compliant" solution to the
105 requirements as defined by [RFC3715].
107 In the basic scenario for this document, the initiator is behind
108 NA(P)T, and the responder has a fixed static IP address.
114 Kivinen, et al. Standards Track [Page 2]
115 \f
116 RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005
119 This document defines a protocol that will work even if both ends are
120 behind NAT, but the process of how to locate the other end is out of
121 the scope of this document. In one scenario, the responder is behind
122 a static host NAT (only one responder per IP, as there is no way to
123 use any destination ports other than 500/4500). That is, it is known
124 by the configuration.
126 2. Specification of Requirements
128 This document shall use the keywords "MUST", "MUST NOT", "REQUIRED",
129 "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED, "MAY",
130 and "OPTIONAL" to describe requirements. They are to be interpreted
131 as described in [RFC2119].
133 3. Phase 1
135 The detection of support for NAT-Traversal and detection of NAT along
136 the path between the two IKE peers occurs in IKE [RFC2409] Phase 1.
138 The NAT may change the IKE UDP source port, and recipients MUST be
139 able to process IKE packets whose source port is different from 500.
140 The NAT does not have to change the source port if:
142 o only one IPsec host is behind the NAT, or
144 o for the first IPsec host, the NAT can keep the port 500, and the
145 NAT will only change the port number for later connections.
147 Recipients MUST reply back to the source address from the packet (see
148 [RFC3715], section 2.1, case d). This means that when the original
149 responder is doing rekeying or sending notifications to the original
150 initiator, it MUST send the packets using the same set of port and IP
151 numbers used when the IKE SA was last used.
153 For example, when the initiator sends a packet with source and
154 destination port 500, the NAT may change it to a packet with source
155 port 12312 and destination port 500. The responder must be able to
156 process the packet whose source port is 12312. It must reply back
157 with a packet whose source port is 500 and destination port is 12312.
158 The NAT will then translate this packet to source port 500 and
159 destination port 500.
170 Kivinen, et al. Standards Track [Page 3]
171 \f
172 RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005
175 3.1. Detecting Support of NAT-Traversal
177 The NAT-Traversal capability of the remote host is determined by an
178 exchange of vendor ID payloads. In the first two messages of Phase
179 1, the vendor id payload for this specification MUST be sent if
180 supported (and it MUST be received by both sides) for the NAT-
181 Traversal probe to continue. The content of the payload is the MD5
182 hash of
184 RFC 3947
186 The exact content in hex for the payload is
188 4a131c81070358455c5728f20e95452f
190 3.2. Detecting the Presence of NAT
192 The NAT-D payload not only detects the presence of NAT between the
193 two IKE peers, but also detects where the NAT is. The location of
194 the NAT device is important, as the keepalives have to initiate from
195 the peer "behind" the NAT.
197 To detect NAT between the two hosts, we have to detect whether the IP
198 address or the port changes along the path. This is done by sending
199 the hashes of the IP addresses and ports of both IKE peers from each
200 end to the other. If both ends calculate those hashes and get same
201 result, they know there is no NAT between. If the hashes do not
202 match, somebody has translated the address or port. This means that
203 we have to do NAT-Traversal to get IPsec packets through.
205 If the sender of the packet does not know his own IP address (in case
206 of multiple interfaces, and the implementation does not know which IP
207 address is used to route the packet out), the sender can include
208 multiple local hashes to the packet (as separate NAT-D payloads). In
209 this case, NAT is detected if and only if none of the hashes match.
211 The hashes are sent as a series of NAT-D (NAT discovery) payloads.
212 Each payload contains one hash, so in case of multiple hashes,
213 multiple NAT-D payloads are sent. In the normal case there are only
214 two NAT-D payloads.
216 The NAT-D payloads are included in the third and fourth packets of
217 Main Mode, and in the second and third packets in the Aggressive
218 Mode.
226 Kivinen, et al. Standards Track [Page 4]
227 \f
228 RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005
231 The format of the NAT-D packet is
233 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
234 +---------------+---------------+---------------+---------------+
235 | Next Payload | RESERVED | Payload length |
236 +---------------+---------------+---------------+---------------+
237 ~ HASH of the address and port ~
238 +---------------+---------------+---------------+---------------+
240 The payload type for the NAT discovery payload is 20.
242 The HASH is calculated as follows:
244 HASH = HASH(CKY-I | CKY-R | IP | Port)
246 This uses the negotiated HASH algorithm. All data inside the HASH is
247 in the network byte-order. The IP is 4 octets for an IPv4 address
248 and 16 octets for an IPv6 address. The port number is encoded as a 2
249 octet number in network byte-order. The first NAT-D payload contains
250 the remote end's IP address and port (i.e., the destination address
251 of the UDP packet). The remaining NAT-D payloads contain possible
252 local-end IP addresses and ports (i.e., all possible source addresses
253 of the UDP packet).
255 If there is no NAT between the peers, the first NAT-D payload
256 received should match one of the local NAT-D payloads (i.e., the
257 local NAT-D payloads this host is sending out), and one of the other
258 NAT-D payloads must match the remote end's IP address and port. If
259 the first check fails (i.e., first NAT-D payload does not match any
260 of the local IP addresses and ports), it means that there is dynamic
261 NAT between the peers, and this end should start sending keepalives
262 as defined in the [RFC3948] (this end is behind the NAT).
264 The CKY-I and CKY-R are the initiator and responder cookies. They
265 are added to the hash to make precomputation attacks for the IP
266 address and port impossible.
268 The following example is of a Phase 1 exchange using NAT-Traversal in
269 Main Mode (authentication with signatures):
271 Initiator Responder
272 ------------ ------------
273 HDR, SA, VID -->
274 <-- HDR, SA, VID
275 HDR, KE, Ni, NAT-D, NAT-D -->
276 <-- HDR, KE, Nr, NAT-D, NAT-D
277 HDR*#, IDii, [CERT, ] SIG_I -->
278 <-- HDR*#, IDir, [CERT, ], SIG_R
282 Kivinen, et al. Standards Track [Page 5]
283 \f
284 RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005
287 The following example is of Phase 1 exchange using NAT-Traversal in
288 Aggressive Mode (authentication with signatures):
290 Initiator Responder
291 ------------ ------------
292 HDR, SA, KE, Ni, IDii, VID -->
293 <-- HDR, SA, KE, Nr, IDir,
294 [CERT, ], VID, NAT-D,
295 NAT-D, SIG_R
296 HDR*#, [CERT, ], NAT-D, NAT-D,
297 SIG_I -->
299 The # sign indicates that those packets are sent to the changed port
300 if NAT is detected.
302 4. Changing to New Ports
304 IPsec-aware NATs can cause problems (See [RFC3715], section 2.3).
305 Some NATs will not change IKE source port 500 even if there are
306 multiple clients behind the NAT (See [RFC3715], section 2.3, case n).
307 They can also use IKE cookies to demultiplex traffic instead of using
308 the source port (See [RFC3715], section 2.3, case m). Both of these
309 are problematic for generic NAT transparency, as it is difficult for
310 IKE to discover the capabilities of the NAT. The best approach is
311 simply to move the IKE traffic off port 500 as soon as possible to
312 avoid any IPsec-aware NAT special casing.
314 Take the common case of the initiator behind the NAT. The initiator
315 must quickly change to port 4500 once the NAT has been detected to
316 minimize the window of IPsec-aware NAT problems.
318 In Main Mode, the initiator MUST change ports when sending the ID
319 payload if there is NAT between the hosts. The initiator MUST set
320 both UDP source and destination ports to 4500. All subsequent
321 packets sent to this peer (including informational notifications)
322 MUST be sent on port 4500. In addition, the IKE data MUST be
323 prepended with a non-ESP marker allowing for demultiplexing of
324 traffic, as defined in [RFC3948].
326 Thus, the IKE packet now looks like this:
328 IP UDP(4500,4500) <non-ESP marker> HDR*, IDii, [CERT, ] SIG_I
330 This assumes authentication using signatures. The 4 bytes of non-ESP
331 marker are defined in the [RFC3948].
338 Kivinen, et al. Standards Track [Page 6]
339 \f
340 RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005
343 When the responder gets this packet, the usual decryption and
344 processing of the various payloads is performed. If these are
345 successful, the responder MUST update local state so that all
346 subsequent packets (including informational notifications) to the
347 peer use the new port, and possibly the new IP address obtained from
348 the incoming valid packet. The port will generally be different, as
349 the NAT will map UDP(500,500) to UDP(X,500), and UDP(4500,4500) to
350 UDP(Y,4500). The IP address will seldom be different from the pre-
351 changed IP address. The responder MUST respond with all subsequent
352 IKE packets to this peer by using UDP(4500,Y).
354 Similarly, if the responder has to rekey the Phase 1 SA, then the
355 rekey negotiation MUST be started by using UDP(4500,Y). Any
356 implementation that supports NAT traversal MUST support negotiations
357 that begin on port 4500. If a negotiation starts on port 4500, then
358 it doesn't need to change anywhere else in the exchange.
360 Once port change has occurred, if a packet is received on port 500,
361 that packet is old. If the packet is an informational packet, it MAY
362 be processed if local policy allows this. If the packet is a Main
363 Mode or an Aggressive Mode packet (with the same cookies as previous
364 packets), it SHOULD be discarded. If the packet is a new Main Mode
365 or Aggressive exchange, then it is processed normally (the other end
366 might have rebooted, and this is starting new exchange).
368 Here is an example of a Phase 1 exchange using NAT-Traversal in Main
369 Mode (authentication with signatures) with changing port:
371 Initiator Responder
372 ------------ ------------
373 UDP(500,500) HDR, SA, VID -->
374 <-- UDP(500,X) HDR, SA, VID
375 UDP(500,500) HDR, KE, Ni,
376 NAT-D, NAT-D -->
377 <-- UDP(500,X) HDR, KE, Nr,
378 NAT-D, NAT-D
379 UDP(4500,4500) HDR*#, IDii,
380 [CERT, ]SIG_I -->
381 <-- UDP(4500,Y) HDR*#, IDir,
382 [ CERT, ], SIG_R
384 The procedure for Aggressive Mode is very similar. After the NAT has
385 been detected, the initiator sends IP UDP(4500,4500) <4 bytes of
386 non-ESP marker> HDR*, [CERT, ], NAT-D, NAT-D, and SIG_I. The
387 responder does similar processing to the above, and if successful,
388 MUST update it's internal IKE ports. The responder MUST respond with
389 all subsequent IKE packets to this peer by using UDP(4500,Y).
394 Kivinen, et al. Standards Track [Page 7]
395 \f
396 RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005
399 Initiator Responder
400 ------------ ------------
401 UDP(500,500) HDR, SA, KE,
402 Ni, IDii, VID -->
403 <-- UDP(500,X) HDR, SA, KE,
404 Nr, IDir, [CERT, ],
405 VID, NAT-D, NAT-D,
406 SIG_R
407 UDP(4500,4500) HDR*#, [CERT, ],
408 NAT-D, NAT-D,
409 SIG_I -->
410 <-- UDP(4500, Y) HDR*#, ...
412 If the support of the NAT-Traversal is enabled, the port in the ID
413 payload in Main Mode/Aggressive Mode MUST be set to 0.
415 The most common case for the responder behind the NAT is if the NAT
416 is simply doing 1:1 address translation. In this case, the initiator
417 still changes both ports to 4500. The responder uses an algorithm
418 identical to that above, although in this case Y will equal 4500, as
419 no port translation is happening.
421 A different port change case involves out-of-band discovery of the
422 ports to use. Those discovery methods are out of the scope of this
423 document. For instance, if the responder is behind a port
424 translating NAT, and the initiator needs to contact it first, then
425 the initiator will have to determine which ports to use, usually by
426 contacting some other server. Once the initiator knows which ports
427 to use to traverse the NAT, generally something like UDP(Z,4500), it
428 initiates using these ports. This is similar to the responder rekey
429 case above in that the ports to use are already known up front, and
430 no additional change has to take place. Also, the first keepalive
431 timer starts after the change to the new port, and no keepalives are
432 sent to the port 500.
434 5. Quick Mode
436 After Phase 1, both ends know whether there is a NAT present between
437 them. The final decision of using NAT-Traversal is left to Quick
438 Mode. The use of NAT-Traversal is negotiated inside the SA payloads
439 of Quick Mode. In Quick Mode, both ends can also send the original
440 addresses of the IPsec packets (in case of the transport mode) to the
441 other end so that each can fix the TCP/IP checksum field after the
442 NAT transformation.
450 Kivinen, et al. Standards Track [Page 8]
451 \f
452 RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005
455 5.1. Negotiation of the NAT-Traversal Encapsulation
457 The negotiation of the NAT-Traversal happens by adding two new
458 encapsulation modes. These encapsulation modes are
460 UDP-Encapsulated-Tunnel 3
461 UDP-Encapsulated-Transport 4
463 It is not normally useful to propose both normal tunnel or transport
464 mode and UDP-Encapsulated modes. UDP encapsulation is required to
465 fix the inability to handle non-UDP/TCP traffic by NATs (see
466 [RFC3715], section 2.2, case i).
468 If there is a NAT box between hosts, normal tunnel or transport
469 encapsulations may not work. In this case, UDP-Encapsulation SHOULD
470 be used.
472 If there is no NAT box between, there is no point in wasting
473 bandwidth by adding UDP encapsulation of packets. Thus, UDP-
474 Encapsulation SHOULD NOT be used.
476 Also, the initiator SHOULD NOT include both normal tunnel or
477 transport mode and UDP-Encapsulated-Tunnel or UDP-Encapsulated-
478 Transport in its proposals.
480 5.2. Sending the Original Source and Destination Addresses
482 To perform incremental TCP checksum updates, both peers may need to
483 know the original IP addresses used by their peers when those peers
484 constructed the packet (see [RFC3715], section 2.1, case b). For the
485 initiator, the original Initiator address is defined to be the
486 Initiator's IP address. The original Responder address is defined to
487 be the perceived peer's IP address. For the responder, the original
488 Initiator address is defined to be the perceived peer's address. The
489 original Responder address is defined to be the Responder's IP
490 address.
492 The original addresses are sent by using NAT-OA (NAT Original
493 Address) payloads.
495 The Initiator NAT-OA payload is first. The Responder NAT-OA payload
496 is second.
498 Example 1:
500 Initiator <---------> NAT <---------> Responder
501 ^ ^ ^
502 Iaddr NatPub Raddr
506 Kivinen, et al. Standards Track [Page 9]
507 \f
508 RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005
511 The initiator is behind a NAT talking to the publicly available
512 responder. Initiator and Responder have the IP addresses Iaddr and
513 Raddr. NAT has public IP address NatPub.
515 Initiator:
517 NAT-OAi = Iaddr
518 NAT-OAr = Raddr
520 Responder:
521 NAT-OAi = NATPub
522 NAT-OAr = Raddr
524 Example 2:
526 Initiator <------> NAT1 <---------> NAT2 <-------> Responder
527 ^ ^ ^ ^
528 Iaddr Nat1Pub Nat2Pub Raddr
530 Here, NAT2 "publishes" Nat2Pub for Responder and forwards all traffic
531 to that address to Responder.
533 Initiator:
534 NAT-OAi = Iaddr
535 NAT-OAr = Nat2Pub
537 Responder:
538 NAT-OAi = Nat1Pub
539 NAT-OAr = Raddr
541 In the case of transport mode, both ends MUST send both original
542 Initiator and Responder addresses to the other end. For tunnel mode,
543 both ends SHOULD NOT send original addresses to the other end.
545 The NAT-OA payloads are sent inside the first and second packets of
546 Quick Mode. The initiator MUST send the payloads if it proposes any
547 UDP-Encapsulated-Transport mode, and the responder MUST send the
548 payload only if it selected UDP-Encapsulated-Transport mode. It is
549 possible that the initiator sends the NAT-OA payload but proposes
550 both UDP-Encapsulated transport and tunnel mode. Then the responder
551 selects the UDP-Encapsulated tunnel mode and does not send the NAT-OA
552 payload back.
562 Kivinen, et al. Standards Track [Page 10]
563 \f
564 RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005
567 The format of the NAT-OA packet is
569 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
570 +---------------+---------------+---------------+---------------+
571 | Next Payload | RESERVED | Payload length |
572 +---------------+---------------+---------------+---------------+
573 | ID Type | RESERVED | RESERVED |
574 +---------------+---------------+---------------+---------------+
575 | IPv4 (4 octets) or IPv6 address (16 octets) |
576 +---------------+---------------+---------------+---------------+
578 The payload type for the NAT original address payload is 21.
580 The ID type is defined in the [RFC2407]. Only ID_IPV4_ADDR and
581 ID_IPV6_ADDR types are allowed. The two reserved fields after the ID
582 Type must be zero.
584 The following example is of Quick Mode using NAT-OA payloads:
586 Initiator Responder
587 ------------ ------------
588 HDR*, HASH(1), SA, Ni, [, KE]
589 [, IDci, IDcr ]
590 [, NAT-OAi, NAT-OAr] -->
591 <-- HDR*, HASH(2), SA, Nr, [, KE]
592 [, IDci, IDcr ]
593 [, NAT-OAi, NAT-OAr]
594 HDR*, HASH(3) -->
596 6. Initial Contact Notifications
598 The source IP and port address of the INITIAL-CONTACT notification
599 for the host behind NAT are not meaningful (as NAT can change them),
600 so the IP and port numbers MUST NOT be used to determine which
601 IKE/IPsec SAs to remove (see [RFC3715], section 2.1, case c). The ID
602 payload sent from the other end SHOULD be used instead; i.e., when an
603 INITIAL-CONTACT notification is received from the other end, the
604 receiving end SHOULD remove all the SAs associated with the same ID
605 payload.
607 7. Recovering from the Expiring NAT Mappings
609 There are cases where NAT box decides to remove mappings that are
610 still alive (for example, when the keepalive interval is too long, or
611 when the NAT box is rebooted). To recover from this, ends that are
612 NOT behind NAT SHOULD use the last valid UDP encapsulated IKE or
613 IPsec packet from the other end to determine which IP and port
614 addresses should be used. The host behind dynamic NAT MUST NOT do
618 Kivinen, et al. Standards Track [Page 11]
619 \f
620 RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005
623 this, as otherwise it opens a DoS attack possibility because the IP
624 address or port of the other host will not change (it is not behind
625 NAT).
627 Keepalives cannot be used for these purposes, as they are not
628 authenticated, but any IKE authenticated IKE packet or ESP packet can
629 be used to detect whether the IP address or the port has changed.
631 8. Security Considerations
633 Whenever changes to some fundamental parts of a security protocol are
634 proposed, the examination of security implications cannot be skipped.
635 Therefore, here are some observations about the effects, and about
636 whether or not these effects matter.
638 o IKE probes reveal NAT-Traversal support to anyone watching the
639 traffic. Disclosing that NAT-Traversal is supported does not
640 introduce new vulnerabilities.
642 o The value of authentication mechanisms based on IP addresses
643 disappears once NATs are in the picture. That is not necessarily
644 a bad thing (for any real security, authentication measures other
645 than IP addresses should be used). This means that authentication
646 with pre-shared keys cannot be used in Main Mode without using
647 group-shared keys for everybody behind the NAT box. Using group
648 shared keys is a huge risk because it allows anyone in the group
649 to authenticate to any other party and claim to be anybody in the
650 group; e.g., a normal user could impersonate a vpn-gateway and act
651 as a man in the middle, and read/modify all traffic to/from others
652 in the group. Use of group-shared keys is NOT RECOMMENDED.
654 o As the internal address space is only 32 bits and is usually very
655 sparse, it might be possible for the attacker to find out the
656 internal address used behind the NAT box by trying all possible
657 IP-addresses to find the matching hash. The port numbers are
658 normally fixed to 500, and the cookies can be extracted from the
659 packet. This limits the hash calculations to 2^32. If an
660 educated guess of the private address space is made, then the
661 number of hash calculations needed to find out the internal IP
662 address goes down to 2^24 + 2 * (2^16).
664 o Neither NAT-D payloads nor Vendor ID payloads are authenticated in
665 Main Mode nor in Aggressive Mode. This means that attacker can
666 remove those payloads, modify them, or add them. By removing or
667 adding them, the attacker can cause Denial of Service attacks. By
668 modifying the NAT-D packets, the attacker can cause both ends to
669 use UDP-Encapsulated modes instead of directly using tunnel or
670 transport mode, thus wasting some bandwidth.
674 Kivinen, et al. Standards Track [Page 12]
675 \f
676 RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005
679 o Sending the original source address in the Quick Mode reveals the
680 internal IP address behind the NAT to the other end. In this case
681 we have already authenticated the other end, and sending the
682 original source address is only needed in transport mode.
684 o Updating the IKE SA/ESP UDP encapsulation IP addresses and ports
685 for each valid authenticated packet can cause DoS if an attacker
686 can listen to all traffic in the network, change the order of the
687 packets, and inject new packets before the packet he has already
688 seen. In other words, the attacker can take an authenticated
689 packet from the host behind NAT, change the packet UDP source or
690 destination ports or IP addresses and send it out to the other end
691 before the real packet reaches it. The host not behind the NAT
692 will update its IP address and port mapping and send further
693 traffic to the wrong host or port. This situation is fixed
694 immediately when the attacker stops modifying the packets, as the
695 first real packet will fix the situation. Implementations SHOULD
696 AUDIT the event every time the mapping is changed, as it should
697 not happen that often.
699 9. IANA Considerations
701 This document contains two new "magic numbers" allocated from the
702 existing IANA registry for IPsec and renames existing registered port
703 4500. This document also defines 2 new payload types for IKE.
705 The following are new items that have been added in the "Internet
706 Security Association and Key Management Protocol (ISAKMP)
707 Identifiers" Encapsulation Mode registry:
709 Name Value Reference
710 ---- ----- ---------
711 UDP-Encapsulated-Tunnel 3 [RFC3947]
712 UDP-Encapsulated-Transport 4 [RFC3947]
714 Change in the registered port registry:
716 Keyword Decimal Description Reference
717 ------- ------- ----------- ---------
718 ipsec-nat-t 4500/tcp IPsec NAT-Traversal [RFC3947]
719 ipsec-nat-t 4500/udp IPsec NAT-Traversal [RFC3947]
730 Kivinen, et al. Standards Track [Page 13]
731 \f
732 RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005
735 New IKE payload numbers need to be added to the Next Payload Types
736 registry:
738 NAT-D 20 NAT Discovery Payload
739 NAT-OA 21 NAT Original Address Payload
741 10. IAB Considerations
743 The UNSAF [RFC3424] questions are addressed by the IPsec-NAT
744 compatibility requirements document [RFC3715].
746 11. Acknowledgments
748 Thanks to Markus Stenberg, Larry DiBurro, and William Dixon, who
749 contributed actively to this document.
751 Thanks to Tatu Ylonen, Santeri Paavolainen, and Joern Sierwald, who
752 contributed to the document used as the base for this document.
754 12. References
756 12.1. Normative References
758 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
759 (IKE)", RFC 2409, November 1998.
761 [RFC2407] Piper, D., "The Internet IP Security Domain of
762 Interpretation for ISAKMP", RFC 2407, November 1998.
764 [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M.
765 Stenberg, "UDP Encapsulation of IPsec Packets", RFC 3948,
766 January 2005.
768 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
769 Requirement Levels", BCP 14, RFC 2119, March 1997.
771 12.2. Informative References
773 [RFC3715] Aboba, B. and W. Dixon, "IPsec-Network Address Translation
774 (NAT) Compatibility Requirements", RFC 3715, March 2004.
776 [RFC3424] Daigle, L. and IAB, "IAB Considerations for UNilateral
777 Self-Address Fixing (UNSAF) Across Network Address
778 Translation", RFC 3424, November 2002.
786 Kivinen, et al. Standards Track [Page 14]
787 \f
788 RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005
791 Authors' Addresses
793 Tero Kivinen
794 SafeNet, Inc.
795 Fredrikinkatu 47
796 FIN-00100 HELSINKI
797 Finland
799 EMail: kivinen@safenet-inc.com
802 Ari Huttunen
803 F-Secure Corporation
804 Tammasaarenkatu 7,
805 FIN-00181 HELSINKI
806 Finland
808 EMail: Ari.Huttunen@F-Secure.com
811 Brian Swander
812 Microsoft
813 One Microsoft Way
814 Redmond, WA 98052
815 USA
817 EMail: briansw@microsoft.com
820 Victor Volpe
821 Cisco Systems
822 124 Grove Street
823 Suite 205
824 Franklin, MA 02038
825 USA
827 EMail: vvolpe@cisco.com
842 Kivinen, et al. Standards Track [Page 15]
843 \f
844 RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005
847 Full Copyright Statement
849 Copyright (C) The Internet Society (2005).
851 This document is subject to the rights, licenses and restrictions
852 contained in BCP 78, and except as set forth therein, the authors
853 retain all their rights.
855 This document and the information contained herein are provided on an
856 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
857 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
858 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
859 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
860 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
861 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
863 Intellectual Property
865 The IETF takes no position regarding the validity or scope of any
866 Intellectual Property Rights or other rights that might be claimed to
867 pertain to the implementation or use of the technology described in
868 this document or the extent to which any license under such rights
869 might or might not be available; nor does it represent that it has
870 made any independent effort to identify any such rights. Information
871 on the IETF's procedures with respect to rights in IETF Documents can
872 be found in BCP 78 and BCP 79.
874 Copies of IPR disclosures made to the IETF Secretariat and any
875 assurances of licenses to be made available, or the result of an
876 attempt made to obtain a general license or permission for the use of
877 such proprietary rights by implementers or users of this
878 specification can be obtained from the IETF on-line IPR repository at
879 http://www.ietf.org/ipr.
881 The IETF invites any interested party to bring to its attention any
882 copyrights, patents or patent applications, or other proprietary
883 rights that may cover technology that may be required to implement
884 this standard. Please address the information to the IETF at ietf-
885 ipr@ietf.org.
887 Acknowledgement
889 Funding for the RFC Editor function is currently provided by the
890 Internet Society.
898 Kivinen, et al. Standards Track [Page 16]
899 \f