1 2 3 4 5 6 7Network Working Group T. Kivinen 8Request for Comments: 3947 SafeNet 9Category: Standards Track B. Swander 10 Microsoft 11 A. Huttunen 12 F-Secure Corporation 13 V. Volpe 14 Cisco Systems 15 January 2005 16 17 18 Negotiation of NAT-Traversal in the IKE 19 20Status of this Memo 21 22 This document specifies an Internet standards track protocol for the 23 Internet community, and requests discussion and suggestions for 24 improvements. Please refer to the current edition of the "Internet 25 Official Protocol Standards" (STD 1) for the standardization state 26 and status of this protocol. Distribution of this memo is unlimited. 27 28Copyright Notice 29 30 Copyright (C) The Internet Society (2005). 31 32Abstract 33 34 This document describes how to detect one or more network address 35 translation devices (NATs) between IPsec hosts, and how to negotiate 36 the use of UDP encapsulation of IPsec packets through NAT boxes in 37 Internet Key Exchange (IKE). 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58Kivinen, et al. Standards Track [Page 1] 59 60RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005 61 62 63Table of Contents 64 65 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . 2 66 2. Specification of Requirements . . . . . . . . . . . . . . . . . 3 67 3. Phase 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 68 3.1. Detecting Support of NAT-Traversal. . . . . . . . . . . . 4 69 3.2. Detecting the Presence of NAT . . . . . . . . . . . . . . 4 70 4. Changing to New Ports . . . . . . . . . . . . . . . . . . . . . 6 71 5. Quick Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . 8 72 5.1. Negotiation of the NAT-Traversal Encapsulation. . . . . . 9 73 5.2. Sending the Original Source and Destination Addresses . . 9 74 6. Initial Contact Notifications. . . . . . . . . . . . . . . . . 11 75 7. Recovering from the Expiring NAT Mappings. . . . . . . . . . . 11 76 8. Security Considerations. . . . . . . . . . . . . . . . . . . . 12 77 9. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 13 78 10. IAB Considerations . . . . . . . . . . . . . . . . . . . . . . 14 79 11. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 14 80 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 81 12.1. Normative References . . . . . . . . . . . . . . . . . . 14 82 12.2. Informative References . . . . . . . . . . . . . . . . . 14 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 84 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 16 85 861. Introduction 87 88 This document is split into two parts. The first describes what is 89 needed in IKE Phase 1 for NAT-Traversal support. This includes 90 detecting whether the other end supports NAT-Traversal, and detecting 91 whether there is one or more NATs between the peers. 92 93 The second part describes how to negotiate the use of UDP 94 encapsulated IPsec packets in IKE's Quick Mode. It also describes 95 how to transmit the original source and destination addresses to the 96 peer, if required. These addresses are used in transport mode to 97 update the TCP/IP checksums incrementally so that they will match 98 after the NAT transform. (The NAT cannot do this, because the TCP/IP 99 checksum is inside the UDP encapsulated IPsec packet.) 100 101 The document [RFC3948] describes the details of UDP encapsulation, 102 and [RFC3715] provides background information and motivation of NAT- 103 Traversal in general. In combination with [RFC3948], this document 104 represents an "unconditionally compliant" solution to the 105 requirements as defined by [RFC3715]. 106 107 In the basic scenario for this document, the initiator is behind 108 NA(P)T, and the responder has a fixed static IP address. 109 110 111 112 113 114Kivinen, et al. Standards Track [Page 2] 115 116RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005 117 118 119 This document defines a protocol that will work even if both ends are 120 behind NAT, but the process of how to locate the other end is out of 121 the scope of this document. In one scenario, the responder is behind 122 a static host NAT (only one responder per IP, as there is no way to 123 use any destination ports other than 500/4500). That is, it is known 124 by the configuration. 125 1262. Specification of Requirements 127 128 This document shall use the keywords "MUST", "MUST NOT", "REQUIRED", 129 "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED, "MAY", 130 and "OPTIONAL" to describe requirements. They are to be interpreted 131 as described in [RFC2119]. 132 1333. Phase 1 134 135 The detection of support for NAT-Traversal and detection of NAT along 136 the path between the two IKE peers occurs in IKE [RFC2409] Phase 1. 137 138 The NAT may change the IKE UDP source port, and recipients MUST be 139 able to process IKE packets whose source port is different from 500. 140 The NAT does not have to change the source port if: 141 142 o only one IPsec host is behind the NAT, or 143 144 o for the first IPsec host, the NAT can keep the port 500, and the 145 NAT will only change the port number for later connections. 146 147 Recipients MUST reply back to the source address from the packet (see 148 [RFC3715], section 2.1, case d). This means that when the original 149 responder is doing rekeying or sending notifications to the original 150 initiator, it MUST send the packets using the same set of port and IP 151 numbers used when the IKE SA was last used. 152 153 For example, when the initiator sends a packet with source and 154 destination port 500, the NAT may change it to a packet with source 155 port 12312 and destination port 500. The responder must be able to 156 process the packet whose source port is 12312. It must reply back 157 with a packet whose source port is 500 and destination port is 12312. 158 The NAT will then translate this packet to source port 500 and 159 destination port 500. 160 161 162 163 164 165 166 167 168 169 170Kivinen, et al. Standards Track [Page 3] 171 172RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005 173 174 1753.1. Detecting Support of NAT-Traversal 176 177 The NAT-Traversal capability of the remote host is determined by an 178 exchange of vendor ID payloads. In the first two messages of Phase 179 1, the vendor id payload for this specification MUST be sent if 180 supported (and it MUST be received by both sides) for the NAT- 181 Traversal probe to continue. The content of the payload is the MD5 182 hash of 183 184 RFC 3947 185 186 The exact content in hex for the payload is 187 188 4a131c81070358455c5728f20e95452f 189 1903.2. Detecting the Presence of NAT 191 192 The NAT-D payload not only detects the presence of NAT between the 193 two IKE peers, but also detects where the NAT is. The location of 194 the NAT device is important, as the keepalives have to initiate from 195 the peer "behind" the NAT. 196 197 To detect NAT between the two hosts, we have to detect whether the IP 198 address or the port changes along the path. This is done by sending 199 the hashes of the IP addresses and ports of both IKE peers from each 200 end to the other. If both ends calculate those hashes and get same 201 result, they know there is no NAT between. If the hashes do not 202 match, somebody has translated the address or port. This means that 203 we have to do NAT-Traversal to get IPsec packets through. 204 205 If the sender of the packet does not know his own IP address (in case 206 of multiple interfaces, and the implementation does not know which IP 207 address is used to route the packet out), the sender can include 208 multiple local hashes to the packet (as separate NAT-D payloads). In 209 this case, NAT is detected if and only if none of the hashes match. 210 211 The hashes are sent as a series of NAT-D (NAT discovery) payloads. 212 Each payload contains one hash, so in case of multiple hashes, 213 multiple NAT-D payloads are sent. In the normal case there are only 214 two NAT-D payloads. 215 216 The NAT-D payloads are included in the third and fourth packets of 217 Main Mode, and in the second and third packets in the Aggressive 218 Mode. 219 220 221 222 223 224 225 226Kivinen, et al. Standards Track [Page 4] 227 228RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005 229 230 231 The format of the NAT-D packet is 232 233 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 234 +---------------+---------------+---------------+---------------+ 235 | Next Payload | RESERVED | Payload length | 236 +---------------+---------------+---------------+---------------+ 237 ~ HASH of the address and port ~ 238 +---------------+---------------+---------------+---------------+ 239 240 The payload type for the NAT discovery payload is 20. 241 242 The HASH is calculated as follows: 243 244 HASH = HASH(CKY-I | CKY-R | IP | Port) 245 246 This uses the negotiated HASH algorithm. All data inside the HASH is 247 in the network byte-order. The IP is 4 octets for an IPv4 address 248 and 16 octets for an IPv6 address. The port number is encoded as a 2 249 octet number in network byte-order. The first NAT-D payload contains 250 the remote end's IP address and port (i.e., the destination address 251 of the UDP packet). The remaining NAT-D payloads contain possible 252 local-end IP addresses and ports (i.e., all possible source addresses 253 of the UDP packet). 254 255 If there is no NAT between the peers, the first NAT-D payload 256 received should match one of the local NAT-D payloads (i.e., the 257 local NAT-D payloads this host is sending out), and one of the other 258 NAT-D payloads must match the remote end's IP address and port. If 259 the first check fails (i.e., first NAT-D payload does not match any 260 of the local IP addresses and ports), it means that there is dynamic 261 NAT between the peers, and this end should start sending keepalives 262 as defined in the [RFC3948] (this end is behind the NAT). 263 264 The CKY-I and CKY-R are the initiator and responder cookies. They 265 are added to the hash to make precomputation attacks for the IP 266 address and port impossible. 267 268 The following example is of a Phase 1 exchange using NAT-Traversal in 269 Main Mode (authentication with signatures): 270 271 Initiator Responder 272 ------------ ------------ 273 HDR, SA, VID --> 274 <-- HDR, SA, VID 275 HDR, KE, Ni, NAT-D, NAT-D --> 276 <-- HDR, KE, Nr, NAT-D, NAT-D 277 HDR*#, IDii, [CERT, ] SIG_I --> 278 <-- HDR*#, IDir, [CERT, ], SIG_R 279 280 281 282Kivinen, et al. Standards Track [Page 5] 283 284RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005 285 286 287 The following example is of Phase 1 exchange using NAT-Traversal in 288 Aggressive Mode (authentication with signatures): 289 290 Initiator Responder 291 ------------ ------------ 292 HDR, SA, KE, Ni, IDii, VID --> 293 <-- HDR, SA, KE, Nr, IDir, 294 [CERT, ], VID, NAT-D, 295 NAT-D, SIG_R 296 HDR*#, [CERT, ], NAT-D, NAT-D, 297 SIG_I --> 298 299 The # sign indicates that those packets are sent to the changed port 300 if NAT is detected. 301 3024. Changing to New Ports 303 304 IPsec-aware NATs can cause problems (See [RFC3715], section 2.3). 305 Some NATs will not change IKE source port 500 even if there are 306 multiple clients behind the NAT (See [RFC3715], section 2.3, case n). 307 They can also use IKE cookies to demultiplex traffic instead of using 308 the source port (See [RFC3715], section 2.3, case m). Both of these 309 are problematic for generic NAT transparency, as it is difficult for 310 IKE to discover the capabilities of the NAT. The best approach is 311 simply to move the IKE traffic off port 500 as soon as possible to 312 avoid any IPsec-aware NAT special casing. 313 314 Take the common case of the initiator behind the NAT. The initiator 315 must quickly change to port 4500 once the NAT has been detected to 316 minimize the window of IPsec-aware NAT problems. 317 318 In Main Mode, the initiator MUST change ports when sending the ID 319 payload if there is NAT between the hosts. The initiator MUST set 320 both UDP source and destination ports to 4500. All subsequent 321 packets sent to this peer (including informational notifications) 322 MUST be sent on port 4500. In addition, the IKE data MUST be 323 prepended with a non-ESP marker allowing for demultiplexing of 324 traffic, as defined in [RFC3948]. 325 326 Thus, the IKE packet now looks like this: 327 328 IP UDP(4500,4500) <non-ESP marker> HDR*, IDii, [CERT, ] SIG_I 329 330 This assumes authentication using signatures. The 4 bytes of non-ESP 331 marker are defined in the [RFC3948]. 332 333 334 335 336 337 338Kivinen, et al. Standards Track [Page 6] 339 340RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005 341 342 343 When the responder gets this packet, the usual decryption and 344 processing of the various payloads is performed. If these are 345 successful, the responder MUST update local state so that all 346 subsequent packets (including informational notifications) to the 347 peer use the new port, and possibly the new IP address obtained from 348 the incoming valid packet. The port will generally be different, as 349 the NAT will map UDP(500,500) to UDP(X,500), and UDP(4500,4500) to 350 UDP(Y,4500). The IP address will seldom be different from the pre- 351 changed IP address. The responder MUST respond with all subsequent 352 IKE packets to this peer by using UDP(4500,Y). 353 354 Similarly, if the responder has to rekey the Phase 1 SA, then the 355 rekey negotiation MUST be started by using UDP(4500,Y). Any 356 implementation that supports NAT traversal MUST support negotiations 357 that begin on port 4500. If a negotiation starts on port 4500, then 358 it doesn't need to change anywhere else in the exchange. 359 360 Once port change has occurred, if a packet is received on port 500, 361 that packet is old. If the packet is an informational packet, it MAY 362 be processed if local policy allows this. If the packet is a Main 363 Mode or an Aggressive Mode packet (with the same cookies as previous 364 packets), it SHOULD be discarded. If the packet is a new Main Mode 365 or Aggressive exchange, then it is processed normally (the other end 366 might have rebooted, and this is starting new exchange). 367 368 Here is an example of a Phase 1 exchange using NAT-Traversal in Main 369 Mode (authentication with signatures) with changing port: 370 371 Initiator Responder 372 ------------ ------------ 373 UDP(500,500) HDR, SA, VID --> 374 <-- UDP(500,X) HDR, SA, VID 375 UDP(500,500) HDR, KE, Ni, 376 NAT-D, NAT-D --> 377 <-- UDP(500,X) HDR, KE, Nr, 378 NAT-D, NAT-D 379 UDP(4500,4500) HDR*#, IDii, 380 [CERT, ]SIG_I --> 381 <-- UDP(4500,Y) HDR*#, IDir, 382 [ CERT, ], SIG_R 383 384 The procedure for Aggressive Mode is very similar. After the NAT has 385 been detected, the initiator sends IP UDP(4500,4500) <4 bytes of 386 non-ESP marker> HDR*, [CERT, ], NAT-D, NAT-D, and SIG_I. The 387 responder does similar processing to the above, and if successful, 388 MUST update it's internal IKE ports. The responder MUST respond with 389 all subsequent IKE packets to this peer by using UDP(4500,Y). 390 391 392 393 394Kivinen, et al. Standards Track [Page 7] 395 396RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005 397 398 399 Initiator Responder 400 ------------ ------------ 401 UDP(500,500) HDR, SA, KE, 402 Ni, IDii, VID --> 403 <-- UDP(500,X) HDR, SA, KE, 404 Nr, IDir, [CERT, ], 405 VID, NAT-D, NAT-D, 406 SIG_R 407 UDP(4500,4500) HDR*#, [CERT, ], 408 NAT-D, NAT-D, 409 SIG_I --> 410 <-- UDP(4500, Y) HDR*#, ... 411 412 If the support of the NAT-Traversal is enabled, the port in the ID 413 payload in Main Mode/Aggressive Mode MUST be set to 0. 414 415 The most common case for the responder behind the NAT is if the NAT 416 is simply doing 1:1 address translation. In this case, the initiator 417 still changes both ports to 4500. The responder uses an algorithm 418 identical to that above, although in this case Y will equal 4500, as 419 no port translation is happening. 420 421 A different port change case involves out-of-band discovery of the 422 ports to use. Those discovery methods are out of the scope of this 423 document. For instance, if the responder is behind a port 424 translating NAT, and the initiator needs to contact it first, then 425 the initiator will have to determine which ports to use, usually by 426 contacting some other server. Once the initiator knows which ports 427 to use to traverse the NAT, generally something like UDP(Z,4500), it 428 initiates using these ports. This is similar to the responder rekey 429 case above in that the ports to use are already known up front, and 430 no additional change has to take place. Also, the first keepalive 431 timer starts after the change to the new port, and no keepalives are 432 sent to the port 500. 433 4345. Quick Mode 435 436 After Phase 1, both ends know whether there is a NAT present between 437 them. The final decision of using NAT-Traversal is left to Quick 438 Mode. The use of NAT-Traversal is negotiated inside the SA payloads 439 of Quick Mode. In Quick Mode, both ends can also send the original 440 addresses of the IPsec packets (in case of the transport mode) to the 441 other end so that each can fix the TCP/IP checksum field after the 442 NAT transformation. 443 444 445 446 447 448 449 450Kivinen, et al. Standards Track [Page 8] 451 452RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005 453 454 4555.1. Negotiation of the NAT-Traversal Encapsulation 456 457 The negotiation of the NAT-Traversal happens by adding two new 458 encapsulation modes. These encapsulation modes are 459 460 UDP-Encapsulated-Tunnel 3 461 UDP-Encapsulated-Transport 4 462 463 It is not normally useful to propose both normal tunnel or transport 464 mode and UDP-Encapsulated modes. UDP encapsulation is required to 465 fix the inability to handle non-UDP/TCP traffic by NATs (see 466 [RFC3715], section 2.2, case i). 467 468 If there is a NAT box between hosts, normal tunnel or transport 469 encapsulations may not work. In this case, UDP-Encapsulation SHOULD 470 be used. 471 472 If there is no NAT box between, there is no point in wasting 473 bandwidth by adding UDP encapsulation of packets. Thus, UDP- 474 Encapsulation SHOULD NOT be used. 475 476 Also, the initiator SHOULD NOT include both normal tunnel or 477 transport mode and UDP-Encapsulated-Tunnel or UDP-Encapsulated- 478 Transport in its proposals. 479 4805.2. Sending the Original Source and Destination Addresses 481 482 To perform incremental TCP checksum updates, both peers may need to 483 know the original IP addresses used by their peers when those peers 484 constructed the packet (see [RFC3715], section 2.1, case b). For the 485 initiator, the original Initiator address is defined to be the 486 Initiator's IP address. The original Responder address is defined to 487 be the perceived peer's IP address. For the responder, the original 488 Initiator address is defined to be the perceived peer's address. The 489 original Responder address is defined to be the Responder's IP 490 address. 491 492 The original addresses are sent by using NAT-OA (NAT Original 493 Address) payloads. 494 495 The Initiator NAT-OA payload is first. The Responder NAT-OA payload 496 is second. 497 498 Example 1: 499 500 Initiator <---------> NAT <---------> Responder 501 ^ ^ ^ 502 Iaddr NatPub Raddr 503 504 505 506Kivinen, et al. Standards Track [Page 9] 507 508RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005 509 510 511 The initiator is behind a NAT talking to the publicly available 512 responder. Initiator and Responder have the IP addresses Iaddr and 513 Raddr. NAT has public IP address NatPub. 514 515 Initiator: 516 517 NAT-OAi = Iaddr 518 NAT-OAr = Raddr 519 520 Responder: 521 NAT-OAi = NATPub 522 NAT-OAr = Raddr 523 524 Example 2: 525 526 Initiator <------> NAT1 <---------> NAT2 <-------> Responder 527 ^ ^ ^ ^ 528 Iaddr Nat1Pub Nat2Pub Raddr 529 530 Here, NAT2 "publishes" Nat2Pub for Responder and forwards all traffic 531 to that address to Responder. 532 533 Initiator: 534 NAT-OAi = Iaddr 535 NAT-OAr = Nat2Pub 536 537 Responder: 538 NAT-OAi = Nat1Pub 539 NAT-OAr = Raddr 540 541 In the case of transport mode, both ends MUST send both original 542 Initiator and Responder addresses to the other end. For tunnel mode, 543 both ends SHOULD NOT send original addresses to the other end. 544 545 The NAT-OA payloads are sent inside the first and second packets of 546 Quick Mode. The initiator MUST send the payloads if it proposes any 547 UDP-Encapsulated-Transport mode, and the responder MUST send the 548 payload only if it selected UDP-Encapsulated-Transport mode. It is 549 possible that the initiator sends the NAT-OA payload but proposes 550 both UDP-Encapsulated transport and tunnel mode. Then the responder 551 selects the UDP-Encapsulated tunnel mode and does not send the NAT-OA 552 payload back. 553 554 555 556 557 558 559 560 561 562Kivinen, et al. Standards Track [Page 10] 563 564RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005 565 566 567 The format of the NAT-OA packet is 568 569 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 570 +---------------+---------------+---------------+---------------+ 571 | Next Payload | RESERVED | Payload length | 572 +---------------+---------------+---------------+---------------+ 573 | ID Type | RESERVED | RESERVED | 574 +---------------+---------------+---------------+---------------+ 575 | IPv4 (4 octets) or IPv6 address (16 octets) | 576 +---------------+---------------+---------------+---------------+ 577 578 The payload type for the NAT original address payload is 21. 579 580 The ID type is defined in the [RFC2407]. Only ID_IPV4_ADDR and 581 ID_IPV6_ADDR types are allowed. The two reserved fields after the ID 582 Type must be zero. 583 584 The following example is of Quick Mode using NAT-OA payloads: 585 586 Initiator Responder 587 ------------ ------------ 588 HDR*, HASH(1), SA, Ni, [, KE] 589 [, IDci, IDcr ] 590 [, NAT-OAi, NAT-OAr] --> 591 <-- HDR*, HASH(2), SA, Nr, [, KE] 592 [, IDci, IDcr ] 593 [, NAT-OAi, NAT-OAr] 594 HDR*, HASH(3) --> 595 5966. Initial Contact Notifications 597 598 The source IP and port address of the INITIAL-CONTACT notification 599 for the host behind NAT are not meaningful (as NAT can change them), 600 so the IP and port numbers MUST NOT be used to determine which 601 IKE/IPsec SAs to remove (see [RFC3715], section 2.1, case c). The ID 602 payload sent from the other end SHOULD be used instead; i.e., when an 603 INITIAL-CONTACT notification is received from the other end, the 604 receiving end SHOULD remove all the SAs associated with the same ID 605 payload. 606 6077. Recovering from the Expiring NAT Mappings 608 609 There are cases where NAT box decides to remove mappings that are 610 still alive (for example, when the keepalive interval is too long, or 611 when the NAT box is rebooted). To recover from this, ends that are 612 NOT behind NAT SHOULD use the last valid UDP encapsulated IKE or 613 IPsec packet from the other end to determine which IP and port 614 addresses should be used. The host behind dynamic NAT MUST NOT do 615 616 617 618Kivinen, et al. Standards Track [Page 11] 619 620RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005 621 622 623 this, as otherwise it opens a DoS attack possibility because the IP 624 address or port of the other host will not change (it is not behind 625 NAT). 626 627 Keepalives cannot be used for these purposes, as they are not 628 authenticated, but any IKE authenticated IKE packet or ESP packet can 629 be used to detect whether the IP address or the port has changed. 630 6318. Security Considerations 632 633 Whenever changes to some fundamental parts of a security protocol are 634 proposed, the examination of security implications cannot be skipped. 635 Therefore, here are some observations about the effects, and about 636 whether or not these effects matter. 637 638 o IKE probes reveal NAT-Traversal support to anyone watching the 639 traffic. Disclosing that NAT-Traversal is supported does not 640 introduce new vulnerabilities. 641 642 o The value of authentication mechanisms based on IP addresses 643 disappears once NATs are in the picture. That is not necessarily 644 a bad thing (for any real security, authentication measures other 645 than IP addresses should be used). This means that authentication 646 with pre-shared keys cannot be used in Main Mode without using 647 group-shared keys for everybody behind the NAT box. Using group 648 shared keys is a huge risk because it allows anyone in the group 649 to authenticate to any other party and claim to be anybody in the 650 group; e.g., a normal user could impersonate a vpn-gateway and act 651 as a man in the middle, and read/modify all traffic to/from others 652 in the group. Use of group-shared keys is NOT RECOMMENDED. 653 654 o As the internal address space is only 32 bits and is usually very 655 sparse, it might be possible for the attacker to find out the 656 internal address used behind the NAT box by trying all possible 657 IP-addresses to find the matching hash. The port numbers are 658 normally fixed to 500, and the cookies can be extracted from the 659 packet. This limits the hash calculations to 2^32. If an 660 educated guess of the private address space is made, then the 661 number of hash calculations needed to find out the internal IP 662 address goes down to 2^24 + 2 * (2^16). 663 664 o Neither NAT-D payloads nor Vendor ID payloads are authenticated in 665 Main Mode nor in Aggressive Mode. This means that attacker can 666 remove those payloads, modify them, or add them. By removing or 667 adding them, the attacker can cause Denial of Service attacks. By 668 modifying the NAT-D packets, the attacker can cause both ends to 669 use UDP-Encapsulated modes instead of directly using tunnel or 670 transport mode, thus wasting some bandwidth. 671 672 673 674Kivinen, et al. Standards Track [Page 12] 675 676RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005 677 678 679 o Sending the original source address in the Quick Mode reveals the 680 internal IP address behind the NAT to the other end. In this case 681 we have already authenticated the other end, and sending the 682 original source address is only needed in transport mode. 683 684 o Updating the IKE SA/ESP UDP encapsulation IP addresses and ports 685 for each valid authenticated packet can cause DoS if an attacker 686 can listen to all traffic in the network, change the order of the 687 packets, and inject new packets before the packet he has already 688 seen. In other words, the attacker can take an authenticated 689 packet from the host behind NAT, change the packet UDP source or 690 destination ports or IP addresses and send it out to the other end 691 before the real packet reaches it. The host not behind the NAT 692 will update its IP address and port mapping and send further 693 traffic to the wrong host or port. This situation is fixed 694 immediately when the attacker stops modifying the packets, as the 695 first real packet will fix the situation. Implementations SHOULD 696 AUDIT the event every time the mapping is changed, as it should 697 not happen that often. 698 6999. IANA Considerations 700 701 This document contains two new "magic numbers" allocated from the 702 existing IANA registry for IPsec and renames existing registered port 703 4500. This document also defines 2 new payload types for IKE. 704 705 The following are new items that have been added in the "Internet 706 Security Association and Key Management Protocol (ISAKMP) 707 Identifiers" Encapsulation Mode registry: 708 709 Name Value Reference 710 ---- ----- --------- 711 UDP-Encapsulated-Tunnel 3 [RFC3947] 712 UDP-Encapsulated-Transport 4 [RFC3947] 713 714 Change in the registered port registry: 715 716 Keyword Decimal Description Reference 717 ------- ------- ----------- --------- 718 ipsec-nat-t 4500/tcp IPsec NAT-Traversal [RFC3947] 719 ipsec-nat-t 4500/udp IPsec NAT-Traversal [RFC3947] 720 721 722 723 724 725 726 727 728 729 730Kivinen, et al. Standards Track [Page 13] 731 732RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005 733 734 735 New IKE payload numbers need to be added to the Next Payload Types 736 registry: 737 738 NAT-D 20 NAT Discovery Payload 739 NAT-OA 21 NAT Original Address Payload 740 74110. IAB Considerations 742 743 The UNSAF [RFC3424] questions are addressed by the IPsec-NAT 744 compatibility requirements document [RFC3715]. 745 74611. Acknowledgments 747 748 Thanks to Markus Stenberg, Larry DiBurro, and William Dixon, who 749 contributed actively to this document. 750 751 Thanks to Tatu Ylonen, Santeri Paavolainen, and Joern Sierwald, who 752 contributed to the document used as the base for this document. 753 75412. References 755 75612.1. Normative References 757 758 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange 759 (IKE)", RFC 2409, November 1998. 760 761 [RFC2407] Piper, D., "The Internet IP Security Domain of 762 Interpretation for ISAKMP", RFC 2407, November 1998. 763 764 [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. 765 Stenberg, "UDP Encapsulation of IPsec Packets", RFC 3948, 766 January 2005. 767 768 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 769 Requirement Levels", BCP 14, RFC 2119, March 1997. 770 77112.2. Informative References 772 773 [RFC3715] Aboba, B. and W. Dixon, "IPsec-Network Address Translation 774 (NAT) Compatibility Requirements", RFC 3715, March 2004. 775 776 [RFC3424] Daigle, L. and IAB, "IAB Considerations for UNilateral 777 Self-Address Fixing (UNSAF) Across Network Address 778 Translation", RFC 3424, November 2002. 779 780 781 782 783 784 785 786Kivinen, et al. Standards Track [Page 14] 787 788RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005 789 790 791Authors' Addresses 792 793 Tero Kivinen 794 SafeNet, Inc. 795 Fredrikinkatu 47 796 FIN-00100 HELSINKI 797 Finland 798 799 EMail: kivinen@safenet-inc.com 800 801 802 Ari Huttunen 803 F-Secure Corporation 804 Tammasaarenkatu 7, 805 FIN-00181 HELSINKI 806 Finland 807 808 EMail: Ari.Huttunen@F-Secure.com 809 810 811 Brian Swander 812 Microsoft 813 One Microsoft Way 814 Redmond, WA 98052 815 USA 816 817 EMail: briansw@microsoft.com 818 819 820 Victor Volpe 821 Cisco Systems 822 124 Grove Street 823 Suite 205 824 Franklin, MA 02038 825 USA 826 827 EMail: vvolpe@cisco.com 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842Kivinen, et al. Standards Track [Page 15] 843 844RFC 3947 Negotiation of NAT-Traversal in the IKE January 2005 845 846 847Full Copyright Statement 848 849 Copyright (C) The Internet Society (2005). 850 851 This document is subject to the rights, licenses and restrictions 852 contained in BCP 78, and except as set forth therein, the authors 853 retain all their rights. 854 855 This document and the information contained herein are provided on an 856 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 857 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 858 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 859 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 860 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 861 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 862 863Intellectual Property 864 865 The IETF takes no position regarding the validity or scope of any 866 Intellectual Property Rights or other rights that might be claimed to 867 pertain to the implementation or use of the technology described in 868 this document or the extent to which any license under such rights 869 might or might not be available; nor does it represent that it has 870 made any independent effort to identify any such rights. Information 871 on the IETF's procedures with respect to rights in IETF Documents can 872 be found in BCP 78 and BCP 79. 873 874 Copies of IPR disclosures made to the IETF Secretariat and any 875 assurances of licenses to be made available, or the result of an 876 attempt made to obtain a general license or permission for the use of 877 such proprietary rights by implementers or users of this 878 specification can be obtained from the IETF on-line IPR repository at 879 http://www.ietf.org/ipr. 880 881 The IETF invites any interested party to bring to its attention any 882 copyrights, patents or patent applications, or other proprietary 883 rights that may cover technology that may be required to implement 884 this standard. Please address the information to the IETF at ietf- 885 ipr@ietf.org. 886 887Acknowledgement 888 889 Funding for the RFC Editor function is currently provided by the 890 Internet Society. 891 892 893 894 895 896 897 898Kivinen, et al. Standards Track [Page 16] 899 900