Network Working Group T. Kivinen Request for Comments: 3947 SafeNet Category: Standards Track B. Swander Microsoft A. Huttunen F-Secure Corporation V. Volpe Cisco Systems January 2005 Negotiation of NAT-Traversal in the IKE Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2005).
AbstractThis document describes how to detect one or more network address translation devices (NATs) between IPsec hosts, and how to negotiate the use of UDP encapsulation of IPsec packets through NAT boxes in Internet Key Exchange (IKE).
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Specification of Requirements . . . . . . . . . . . . . . . . . 3 3. Phase 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Detecting Support of NAT-Traversal. . . . . . . . . . . . 4 3.2. Detecting the Presence of NAT . . . . . . . . . . . . . . 4 4. Changing to New Ports . . . . . . . . . . . . . . . . . . . . . 6 5. Quick Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . 8 5.1. Negotiation of the NAT-Traversal Encapsulation. . . . . . 9 5.2. Sending the Original Source and Destination Addresses . . 9 6. Initial Contact Notifications. . . . . . . . . . . . . . . . . 11 7. Recovering from the Expiring NAT Mappings. . . . . . . . . . . 11 8. Security Considerations. . . . . . . . . . . . . . . . . . . . 12 9. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 13 10. IAB Considerations . . . . . . . . . . . . . . . . . . . . . . 14 11. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 14 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 12.1. Normative References . . . . . . . . . . . . . . . . . . 14 12.2. Informative References . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 16 RFC3948] describes the details of UDP encapsulation, and [RFC3715] provides background information and motivation of NAT- Traversal in general. In combination with [RFC3948], this document represents an "unconditionally compliant" solution to the requirements as defined by [RFC3715]. In the basic scenario for this document, the initiator is behind NA(P)T, and the responder has a fixed static IP address.
This document defines a protocol that will work even if both ends are behind NAT, but the process of how to locate the other end is out of the scope of this document. In one scenario, the responder is behind a static host NAT (only one responder per IP, as there is no way to use any destination ports other than 500/4500). That is, it is known by the configuration. RFC2119]. RFC2409] Phase 1. The NAT may change the IKE UDP source port, and recipients MUST be able to process IKE packets whose source port is different from 500. The NAT does not have to change the source port if: o only one IPsec host is behind the NAT, or o for the first IPsec host, the NAT can keep the port 500, and the NAT will only change the port number for later connections. Recipients MUST reply back to the source address from the packet (see [RFC3715], section 2.1, case d). This means that when the original responder is doing rekeying or sending notifications to the original initiator, it MUST send the packets using the same set of port and IP numbers used when the IKE SA was last used. For example, when the initiator sends a packet with source and destination port 500, the NAT may change it to a packet with source port 12312 and destination port 500. The responder must be able to process the packet whose source port is 12312. It must reply back with a packet whose source port is 500 and destination port is 12312. The NAT will then translate this packet to source port 500 and destination port 500.
The format of the NAT-D packet is 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 +---------------+---------------+---------------+---------------+ | Next Payload | RESERVED | Payload length | +---------------+---------------+---------------+---------------+ ~ HASH of the address and port ~ +---------------+---------------+---------------+---------------+ The payload type for the NAT discovery payload is 20. The HASH is calculated as follows: HASH = HASH(CKY-I | CKY-R | IP | Port) This uses the negotiated HASH algorithm. All data inside the HASH is in the network byte-order. The IP is 4 octets for an IPv4 address and 16 octets for an IPv6 address. The port number is encoded as a 2 octet number in network byte-order. The first NAT-D payload contains the remote end's IP address and port (i.e., the destination address of the UDP packet). The remaining NAT-D payloads contain possible local-end IP addresses and ports (i.e., all possible source addresses of the UDP packet). If there is no NAT between the peers, the first NAT-D payload received should match one of the local NAT-D payloads (i.e., the local NAT-D payloads this host is sending out), and one of the other NAT-D payloads must match the remote end's IP address and port. If the first check fails (i.e., first NAT-D payload does not match any of the local IP addresses and ports), it means that there is dynamic NAT between the peers, and this end should start sending keepalives as defined in the [RFC3948] (this end is behind the NAT). The CKY-I and CKY-R are the initiator and responder cookies. They are added to the hash to make precomputation attacks for the IP address and port impossible. The following example is of a Phase 1 exchange using NAT-Traversal in Main Mode (authentication with signatures): Initiator Responder ------------ ------------ HDR, SA, VID --> <-- HDR, SA, VID HDR, KE, Ni, NAT-D, NAT-D --> <-- HDR, KE, Nr, NAT-D, NAT-D HDR*#, IDii, [CERT, ] SIG_I --> <-- HDR*#, IDir, [CERT, ], SIG_R
The following example is of Phase 1 exchange using NAT-Traversal in Aggressive Mode (authentication with signatures): Initiator Responder ------------ ------------ HDR, SA, KE, Ni, IDii, VID --> <-- HDR, SA, KE, Nr, IDir, [CERT, ], VID, NAT-D, NAT-D, SIG_R HDR*#, [CERT, ], NAT-D, NAT-D, SIG_I --> The # sign indicates that those packets are sent to the changed port if NAT is detected. RFC3715], section 2.3). Some NATs will not change IKE source port 500 even if there are multiple clients behind the NAT (See [RFC3715], section 2.3, case n). They can also use IKE cookies to demultiplex traffic instead of using the source port (See [RFC3715], section 2.3, case m). Both of these are problematic for generic NAT transparency, as it is difficult for IKE to discover the capabilities of the NAT. The best approach is simply to move the IKE traffic off port 500 as soon as possible to avoid any IPsec-aware NAT special casing. Take the common case of the initiator behind the NAT. The initiator must quickly change to port 4500 once the NAT has been detected to minimize the window of IPsec-aware NAT problems. In Main Mode, the initiator MUST change ports when sending the ID payload if there is NAT between the hosts. The initiator MUST set both UDP source and destination ports to 4500. All subsequent packets sent to this peer (including informational notifications) MUST be sent on port 4500. In addition, the IKE data MUST be prepended with a non-ESP marker allowing for demultiplexing of traffic, as defined in [RFC3948]. Thus, the IKE packet now looks like this: IP UDP(4500,4500) <non-ESP marker> HDR*, IDii, [CERT, ] SIG_I This assumes authentication using signatures. The 4 bytes of non-ESP marker are defined in the [RFC3948].
When the responder gets this packet, the usual decryption and processing of the various payloads is performed. If these are successful, the responder MUST update local state so that all subsequent packets (including informational notifications) to the peer use the new port, and possibly the new IP address obtained from the incoming valid packet. The port will generally be different, as the NAT will map UDP(500,500) to UDP(X,500), and UDP(4500,4500) to UDP(Y,4500). The IP address will seldom be different from the pre- changed IP address. The responder MUST respond with all subsequent IKE packets to this peer by using UDP(4500,Y). Similarly, if the responder has to rekey the Phase 1 SA, then the rekey negotiation MUST be started by using UDP(4500,Y). Any implementation that supports NAT traversal MUST support negotiations that begin on port 4500. If a negotiation starts on port 4500, then it doesn't need to change anywhere else in the exchange. Once port change has occurred, if a packet is received on port 500, that packet is old. If the packet is an informational packet, it MAY be processed if local policy allows this. If the packet is a Main Mode or an Aggressive Mode packet (with the same cookies as previous packets), it SHOULD be discarded. If the packet is a new Main Mode or Aggressive exchange, then it is processed normally (the other end might have rebooted, and this is starting new exchange). Here is an example of a Phase 1 exchange using NAT-Traversal in Main Mode (authentication with signatures) with changing port: Initiator Responder ------------ ------------ UDP(500,500) HDR, SA, VID --> <-- UDP(500,X) HDR, SA, VID UDP(500,500) HDR, KE, Ni, NAT-D, NAT-D --> <-- UDP(500,X) HDR, KE, Nr, NAT-D, NAT-D UDP(4500,4500) HDR*#, IDii, [CERT, ]SIG_I --> <-- UDP(4500,Y) HDR*#, IDir, [ CERT, ], SIG_R The procedure for Aggressive Mode is very similar. After the NAT has been detected, the initiator sends IP UDP(4500,4500) <4 bytes of non-ESP marker> HDR*, [CERT, ], NAT-D, NAT-D, and SIG_I. The responder does similar processing to the above, and if successful, MUST update it's internal IKE ports. The responder MUST respond with all subsequent IKE packets to this peer by using UDP(4500,Y).
Initiator Responder ------------ ------------ UDP(500,500) HDR, SA, KE, Ni, IDii, VID --> <-- UDP(500,X) HDR, SA, KE, Nr, IDir, [CERT, ], VID, NAT-D, NAT-D, SIG_R UDP(4500,4500) HDR*#, [CERT, ], NAT-D, NAT-D, SIG_I --> <-- UDP(4500, Y) HDR*#, ... If the support of the NAT-Traversal is enabled, the port in the ID payload in Main Mode/Aggressive Mode MUST be set to 0. The most common case for the responder behind the NAT is if the NAT is simply doing 1:1 address translation. In this case, the initiator still changes both ports to 4500. The responder uses an algorithm identical to that above, although in this case Y will equal 4500, as no port translation is happening. A different port change case involves out-of-band discovery of the ports to use. Those discovery methods are out of the scope of this document. For instance, if the responder is behind a port translating NAT, and the initiator needs to contact it first, then the initiator will have to determine which ports to use, usually by contacting some other server. Once the initiator knows which ports to use to traverse the NAT, generally something like UDP(Z,4500), it initiates using these ports. This is similar to the responder rekey case above in that the ports to use are already known up front, and no additional change has to take place. Also, the first keepalive timer starts after the change to the new port, and no keepalives are sent to the port 500.
RFC3715], section 2.2, case i). If there is a NAT box between hosts, normal tunnel or transport encapsulations may not work. In this case, UDP-Encapsulation SHOULD be used. If there is no NAT box between, there is no point in wasting bandwidth by adding UDP encapsulation of packets. Thus, UDP- Encapsulation SHOULD NOT be used. Also, the initiator SHOULD NOT include both normal tunnel or transport mode and UDP-Encapsulated-Tunnel or UDP-Encapsulated- Transport in its proposals. RFC3715], section 2.1, case b). For the initiator, the original Initiator address is defined to be the Initiator's IP address. The original Responder address is defined to be the perceived peer's IP address. For the responder, the original Initiator address is defined to be the perceived peer's address. The original Responder address is defined to be the Responder's IP address. The original addresses are sent by using NAT-OA (NAT Original Address) payloads. The Initiator NAT-OA payload is first. The Responder NAT-OA payload is second. Example 1: Initiator <---------> NAT <---------> Responder ^ ^ ^ Iaddr NatPub Raddr
The initiator is behind a NAT talking to the publicly available responder. Initiator and Responder have the IP addresses Iaddr and Raddr. NAT has public IP address NatPub. Initiator: NAT-OAi = Iaddr NAT-OAr = Raddr Responder: NAT-OAi = NATPub NAT-OAr = Raddr Example 2: Initiator <------> NAT1 <---------> NAT2 <-------> Responder ^ ^ ^ ^ Iaddr Nat1Pub Nat2Pub Raddr Here, NAT2 "publishes" Nat2Pub for Responder and forwards all traffic to that address to Responder. Initiator: NAT-OAi = Iaddr NAT-OAr = Nat2Pub Responder: NAT-OAi = Nat1Pub NAT-OAr = Raddr In the case of transport mode, both ends MUST send both original Initiator and Responder addresses to the other end. For tunnel mode, both ends SHOULD NOT send original addresses to the other end. The NAT-OA payloads are sent inside the first and second packets of Quick Mode. The initiator MUST send the payloads if it proposes any UDP-Encapsulated-Transport mode, and the responder MUST send the payload only if it selected UDP-Encapsulated-Transport mode. It is possible that the initiator sends the NAT-OA payload but proposes both UDP-Encapsulated transport and tunnel mode. Then the responder selects the UDP-Encapsulated tunnel mode and does not send the NAT-OA payload back.
The format of the NAT-OA packet is 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 +---------------+---------------+---------------+---------------+ | Next Payload | RESERVED | Payload length | +---------------+---------------+---------------+---------------+ | ID Type | RESERVED | RESERVED | +---------------+---------------+---------------+---------------+ | IPv4 (4 octets) or IPv6 address (16 octets) | +---------------+---------------+---------------+---------------+ The payload type for the NAT original address payload is 21. The ID type is defined in the [RFC2407]. Only ID_IPV4_ADDR and ID_IPV6_ADDR types are allowed. The two reserved fields after the ID Type must be zero. The following example is of Quick Mode using NAT-OA payloads: Initiator Responder ------------ ------------ HDR*, HASH(1), SA, Ni, [, KE] [, IDci, IDcr ] [, NAT-OAi, NAT-OAr] --> <-- HDR*, HASH(2), SA, Nr, [, KE] [, IDci, IDcr ] [, NAT-OAi, NAT-OAr] HDR*, HASH(3) --> RFC3715], section 2.1, case c). The ID payload sent from the other end SHOULD be used instead; i.e., when an INITIAL-CONTACT notification is received from the other end, the receiving end SHOULD remove all the SAs associated with the same ID payload.
this, as otherwise it opens a DoS attack possibility because the IP address or port of the other host will not change (it is not behind NAT). Keepalives cannot be used for these purposes, as they are not authenticated, but any IKE authenticated IKE packet or ESP packet can be used to detect whether the IP address or the port has changed.
o Sending the original source address in the Quick Mode reveals the internal IP address behind the NAT to the other end. In this case we have already authenticated the other end, and sending the original source address is only needed in transport mode. o Updating the IKE SA/ESP UDP encapsulation IP addresses and ports for each valid authenticated packet can cause DoS if an attacker can listen to all traffic in the network, change the order of the packets, and inject new packets before the packet he has already seen. In other words, the attacker can take an authenticated packet from the host behind NAT, change the packet UDP source or destination ports or IP addresses and send it out to the other end before the real packet reaches it. The host not behind the NAT will update its IP address and port mapping and send further traffic to the wrong host or port. This situation is fixed immediately when the attacker stops modifying the packets, as the first real packet will fix the situation. Implementations SHOULD AUDIT the event every time the mapping is changed, as it should not happen that often.
New IKE payload numbers need to be added to the Next Payload Types registry: NAT-D 20 NAT Discovery Payload NAT-OA 21 NAT Original Address Payload RFC3424] questions are addressed by the IPsec-NAT compatibility requirements document [RFC3715]. [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [RFC2407] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. Stenberg, "UDP Encapsulation of IPsec Packets", RFC 3948, January 2005. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3715] Aboba, B. and W. Dixon, "IPsec-Network Address Translation (NAT) Compatibility Requirements", RFC 3715, March 2004. [RFC3424] Daigle, L. and IAB, "IAB Considerations for UNilateral Self-Address Fixing (UNSAF) Across Network Address Translation", RFC 3424, November 2002.
Full Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the IETF's procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- email@example.com. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.