[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal

To: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Subject: Re: NAT Traversal
From: Derek Atkins <derek@ihtfp.com>
Date: 27 Feb 2002 11:49:51 -0500
Cc: Markus Stenberg <mstenber@ssh.com>, <ipsec@lists.tislabs.com>
In-Reply-To: <Pine.GSO.4.33.0202261635370.5782-100000@irp-view5.cisco.com>
References: <Pine.GSO.4.33.0202261635370.5782-100000@irp-view5.cisco.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

"Chinna N.R. Pellacuru" <pcn@cisco.com> writes:

> Could you elaborate this scenario more. What/who are you doing transport
> mode with and what kind of applications are generating this traffic?

Ok, here's an example:

Assumption: My home LAN is insecure!  It's sitting on a wireless
network, I don't know who may be listening in on it.

Now, based on that assumption, here's my scenario: I've got a laptop
that I use as my primary environment, but I use a bunch of network
services off my home network.  Keep in mind that my home network is
insecure -- I do not trust it!  Therefore, I want to setup IPsec
between my laptop and each of my home servers.

So, I setup IPsec transport between my laptop and my file server to
protect my file system traffic.  I setup IPsec with my mail server so
I can securely send and receive email.  Expand until you have a full
mesh of transport-mode IPsec connections!

When I travel, I want to continue doing this.  I don't want to change
my behavior just because I happen to be sitting behind a NAT (and no,
Phill, I wasn't talking about IETF -- I was actually referring to
Usenix Security).  This way I can work the same (modulo network
latencies) regrdless of my current physical location.

> In general we see people running tunnel mode in this case to a border
> security gateway or a remote access aggregator, and access the machines
> within the network which is behind the aggregator. Or people could run
> L2TP or GRE to a border router (if they want multicast), and run IPsec
> transport mode on those tunnels.

Of course that's how you see it, but that's not the only way that
IPsec can be run.  The original goal of IPsec (assuming you were
around for those discussions in '92-93) were to enable end-to-end
IPsec.  If I tunneled back to my home LAN it would still violate
assumption #1, that my home LAN is insecure.

I want end-to-end security; tunneling to a security gateway does not
provide that.

> Consider a sample network at a conference which gives out private
> addresses and runs NAT at its border
> 
>    laptop+-----------+NAT+-----( cloud )-------+IPsec peer
> 
> laptop got an address 10.0.0.5
> NAT box is going to translate it to say 5.0.0.1
> IPsec peer is 6.0.0.1
> 
> Now, IPsec proxy identities are 10.0.0.5 and 6.0.0.1.
> 
> Question1: So, do the applications on the IPsec peer think that they are
> talking to 10.0.0.5 or do they think they are talking to 5.0.0.1?

It doesn't matter.

The Security Association has a binding to:
        Certificate, RSA, id=Derek Atkins <derek@ihtfp.com>
or perhaps
        Certificate, RSA, id=derek-laptop.ihtfp.com

The point being that IPsec knows who I am regardless of the IP
address.  The IP address can be anything, and that's ok.

Applications that want to depend on IPsec for security should not key
off the IP Address; they should key off the SA.  The SA knows all.

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

Follow-Ups:
- Re: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

References:
- Re: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

Prev by Date: Re: NAT Traversal
Next by Date: Re: NAT Traversal
Prev by thread: Re: NAT Traversal
Next by thread: Re: NAT Traversal
Index(es):
- Date
- Thread