how-to block ads
Traffic encryption and integrity checking schemes such as those in the IPSec protocol suite are generally incompatible with NAT. Certain protocols, such as IPSec ESP in tunnel mode, can be accommodated via special support (IPSec pass-through).
Applications that use dynamic session initiations, such as Netmeeting and MSN Messenger, require either special support in the firmware of the NAT device or the use of UPnP and a UPnP aware NAT device.
Other NAT incompatible techniques, such as the passing of IP addresses as data or use of non-standard protocols, will also require special support.
Sticking with security for a second, during the early days of NAT many were concerned that it would have a negative impact on security since it would not allow for end-to-end encryption. If packets are encrypted or integrity checked either translation is not possible or the translated packets are rejected. Today this is still a problem for certain traffic encryption / integrity checking schemes such as IPSec Encapsulating Security Payload (ESP) in transport mode or IPSec Authentication Header (AH). IPSec ESP in tunnel mode encrypts TCP/UDP headers but is able to traverse NAT via the following 'trick' (often referred to as IPSec pass-through):
Since the establishment of IPSec tunnels begin with IKE conversations (via UDP), when the router sees an IKE exchange it automatically forwards all ESP traffic to the private host involved. In this basic form, found in typical broadband routers, multiple concurrent tunnels are not permitted.
Some routers permit multiple IPSec connections through NAT by uniquely identifying tunnels via the pair of SPI numbers snagged from an IKE exchange. These identifying numbers are stored in IPSec NAT table entries to allow correct routing of inbound ESP traffic.
Often a better option if you have to mix NAT and IPSec is to terminate the VPN in the router. Most firewall type NAT devices can do this, which allows the entire private network access to the remote network and saves your hosts the CPU time associated with en/decapsulation, en/decryption and key management. Also, these devices are able to use the full range of IPSec features and protocols.
Dynamic Session Initiations
Dynamic session initiations are conversations, often carried out over a dedicated protocol (such as Session Initiation Protocol or SIP), which arrange the parameters (addresses, ports, etc.) for other conversations. They are roughly analogous to FTP control connections (active mode transfers are similarly broken by NAT) and are commonly used in multimedia software such as MSN Messenger and Netmeeting. Two problems arise when used over NAT:
•IP addresses are often passed as data in the session initiation. The software will pass the address of a private host to the other end and the following connection will fail.
•Ports are negotiated dynamically. You can't create port mappings to allow inbound connections to the program since you don't know what ports will be used.
The problem can be solved in one of three ways:
•Write special code to properly translate the information passed in session initiation and / or act upon special events in the conversation. This technique is used so that active FTP connections may take place where port 20 is temporarily mapped to the appropriate private host on detection of a PORT command from that host.
•Write special code to proxy (make on behalf of and intermediate) the required connections, also known as an 'Application Layer Gateway'.
•Allow a remote program to control port mappings on the NAT device and retrieve its global address to pass in session initiations. This has been realised in the form of UPnP enabled NAT devices - see here.
Note that the first two solutions involve specialised code to support each application and are therefore limited by developer inclination and available router memory space.
Note also that if IP addresses are not passed in session initiation or the problem is just that incoming connections to many ports are required, it may be solved by a feature known as 'default server' or 'DMZ'. Defining the default server or DMZ to be a private host causes the router to pass all unsolicited traffic to that host. This removes the protection of NAT from that host although translation still takes place.