Internet DRAFT - draft-antony-ipsecme-oppo-nat
draft-antony-ipsecme-oppo-nat
ipsecme A. Antony
Internet-Draft Phenome Networks
Intended status: Informational J. Gilmore
Expires: September 10, 2015
P. Wouters
Red Hat
March 09, 2015
NAT-Traversal support for Opportunistic IPsec
draft-antony-ipsecme-oppo-nat-00
Abstract
This document specifies how to support NATed IPsec peers for use with
Opportunistic IPsec.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 10, 2015.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Antony, et al. Expires September 10, 2015 [Page 1]
�
Internet-Draft NAT-T for Opportunistic IPsec March 2015
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Conventions Used in This Document . . . . . . . . . . . . 2
2. The pre-NAT IP address conflict . . . . . . . . . . . . . . . 2
3. Creating the NAT workaround on the initiator . . . . . . . . 3
3.1. The Initial Exchange . . . . . . . . . . . . . . . . . . 3
3.2. Handling the NAT problem on the initiator . . . . . . . . 4
3.3. Handling the NAT problem on the responder . . . . . . . . 4
3.4. Implementation details . . . . . . . . . . . . . . . . . 4
4. Creating the NAT workaround on the responder . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 5
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 5
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
8.1. Normative References . . . . . . . . . . . . . . . . . . 5
8.2. Informative References . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
The Internet Key Exchange Protocol version 2 (IKEv2), specified in
[RFC7296], provides a way to negotiate tunnel mode IPsec SA's for
peers behind NAT. It does not provide guidance on how to resolve the
problem of multiple peers using the same pre-NAT IP address.
Responder assigned IP addresses for NATed peers also do not fully
resolve the address conflict when the NATed peers are deploying
opportunistic IPsec to many remote endpoints. Additional complexity
of configuring many source IP addresses on the NATed peers is
undesirable.
This problem is expected to be a significant issue for large scale
Opportunistic IPsec deployments.
The goal of this draft is to put the burden of the additional effort
required for NAT onto the host that is NAT'ed. In a hypothetical
future with no NAT, no residual protocol changes would remain.
1.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. The pre-NAT IP address conflict
Antony, et al. Expires September 10, 2015 [Page 2]
�
Internet-Draft NAT-T for Opportunistic IPsec March 2015
A peer that is behind NAT is only aware of its own native IP address.
While the IKEv2 NATD payloads allow the peer to find out it is behind
NAT, it either has to use its own native IP address or a remote peer
assigned IP address to build IPsec SA's.
Two initiators behind different NAT routers can have the same pre-NAT
IP address. When these initiators attempt to setup an IPsec SA to
the same responder, there will be a conflict on the responder. When
the first initiator connects, the responder will install an IPsec SA
for for the specific pre-NAT IP. For the second initiator, the
responder cannot install an IPsec SA with the same source and
destination selectors without creating a conflict. Even if it could
install two identical IPsec SAs, it still needs a mechanism to decide
between these two IPsec SA's. While connection tracking might be used
to distinguish reply packets, there is no method for initiating a
connection from the responder to one of the initiators without
somehow specifying for which of the initiators the packet is meant.
When initiators behind NAT let the remote peer assign their IP to use
for building the IPsec SA, the problem reverses. Initiators behind
NAT can setup many IPsec SA's to different remote peers, and those
remote peers might use the conflicting IP addresses. Additionally,
using many IP addresses requires that the host or applications need
to be aware of which source IP to use for which remote peer.
3. Creating the NAT workaround on the initiator
In the below workflow, the following example IP addresses are used:
The initiator ("road") has a private IP address of 192.1.3.209
The NAT router has an internal (private) IP address of 192.1.3.254
The NAT router has an external (public) IP address of 192.1.2.254
The responder ("east") has a public IP address of 192.1.2.42
The responder ("east") has a private IP address pool of 10.1.2.0/
24
Tunnel mode is used for all IPsec SA's.
3.1. The Initial Exchange
In IKEv2, the IKE_INIT exchange allows the initiator and responder to
detect the presense of a NAT. In this case both "road" and "east"
become aware of the NAT in front of "road".
Antony, et al. Expires September 10, 2015 [Page 3]
�
Internet-Draft NAT-T for Opportunistic IPsec March 2015
In IKEv2, the initiator can signal via the TSi payload that it is
willing to receive a responder-assigned IP address for use in the
IPsec SA. The responder needs to be configured with an addresspool
from which it assigns unique IP addresses to the connecting
initiators.
"road" sends a TSi(0.0.0.0/0) and TSr(192.1.2.42/32) request to
"east" in the IKE_AUTH Exchange.
"east" assigns the first free IP address from its pool - 10.1.2.1 -
to this prospective client and sends a TSI(10.1.2.1/32) and
TSr(192.1.2.42/32) back to "road".
The IKE_AUTH Exchange completes as normal. This could be an
authenticated exchange or an exchange without authentication using
AUTH_NULL as specified in [IKE-AUTH-NULL].
3.2. Handling the NAT problem on the initiator
"road", upon receiving east's TSi/TSr - and a successfull completion
of the IKE_AUTH Exchange - two tasks:
1. It installs the negotiated inbound and outbound IPsec SAs
(10.1.2.1/32 <=> 192.1.2.42/32)
2. It installs a destination based NAT rule for 192.1.3.209 ->
192.1.2.42/32 ==> 10.1.2.1/32 -> 192.1.2.42/32
It ensures that the destination based NAT rule is processed before
IPsec processing begins.
3.3. Handling the NAT problem on the responder
The responder has no specific handling it needs to perform apart from
a willingness to assign IP addresses if an initiator requests one via
the special TSi(0.0.0.0/0). If the initiator sends a TSi() that
matches the IP address of the IKE message, the responder should agree
to use that address instead of assigning one from its addresspool.
3.4. Implementation details
The NAT rule can be implemented in the Networking subsystem of the
host kernel, but this specific IPsec-NAT rule could also be
implemented as part of the IPsec subsystem.
Antony, et al. Expires September 10, 2015 [Page 4]
�
Internet-Draft NAT-T for Opportunistic IPsec March 2015
The initiator host and any application running on the initiator
should not need to be aware of this construct. The responder
assigned IP address does not need to be configured on the host. It
only needs to exist in the NAT rule and the IPsec SA.
4. Creating the NAT workaround on the responder
[placeholder]
5. Security Considerations
This NAT mapping method MUST only be used for host-to-host IPsec
tunnels. It MUST NOT be used for net-to-net IPsec tunnels.
An address from the addresspool should not be re-used quickly to
avoid sending traffic meant for one initiator to another initiator.
6. Acknowledgments
None so far
7. IANA Considerations
This Internet Draft includes no request to IANA.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, October 2014.
[IKE-AUTH-NULL]
Smyslov, Valery. and Paul. Wouters, "The NULL
Authentication Method in IKEv2 Protocol", draft-ietf-
ipsecme-ikev2-null-auth (work in progress), February 2015.
8.2. Informative References
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, May 2014.
Antony, et al. Expires September 10, 2015 [Page 5]
�
Internet-Draft NAT-T for Opportunistic IPsec March 2015
[RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection
Most of the Time", RFC 7435, December 2014.
Authors' Addresses
Antony Antony
Phenome Networks
Email: antony@phenome.org
John Gilmore
Email: gnu@toad.com
Paul Wouters
Red Hat
Email: pwouters@redhat.com
Antony, et al. Expires September 10, 2015 [Page 6]
