Microsoft recently revealed that the way IPSec and NAT-T work can cause a security threat wherein IPSec traffic intended for one computer may be routed to the wrong computer, if certain criteria exist. For more details, see KB article Is this overkill? The KB article itself states that the situation described is an uncommon one, and several security experts have reported being unable to reproduce the problem.
If you decide you need L2TP, you have two choices. Of course, that involves its own security issues. Here's how:. You can allow only clients with public IP addresses to connect to servers behind a NAT by setting the value to 1. You can restore the SP2 default behavior prevent all clients from connecting to servers behind a NAT by setting the value to 0.
If, after assessing the information available and your own network's security needs, you want to allow such connections, you can do so with a simple registry edit on the XP client computers. Helper Incompatibilities. Existing Solutions. IPsec Tunnel Mode. Security Considerations. Normative References. Informative References. Authors' Addresses.
Full Copyright Statement. One very popular use of VPNs is to provide telecommuter access to the corporate Intranet. This document describes known incompatibilities between NAT and IPsec, and describes the requirements for addressing them.
Please note that the requirements specified in this document are to be used in evaluating protocol submissions. As such, the requirements language refers to capabilities of these protocols; the protocol documents will specify whether these features are required, recommended, or optional.
For example, requiring that a protocol support confidentiality is not the same thing as requiring that all protocol traffic be encrypted. These incompatibilities will therefore be present in any NA P T device. Included in this category are problems in handling inbound or outbound fragments. However, since the implementation problems appear to be wide spread, they need to be taken into account in a NA P T traversal solution.
Ironically, this "helper" functionality creates further incompatibilities, making an already difficult problem harder to solve. While IPsec traversal "helper" functionality is not present in all NA P Ts, these features are becoming sufficiently popular that they also need to be taken into account in a NA P T traversal solution. Since the AH header incorporates the IP source and destination addresses in the keyed message integrity check, NAT or reverse NAT devices making changes to address fields will invalidate the message integrity check.
TCP and UDP checksums have a dependency on the IP source and destination addresses through inclusion of the "pseudo-header" in the calculation. As a result, where checksums are calculated and checked upon receipt, they will be invalidated by passage through a NAT or reverse NAT device. Thus, checksum verification only provides assurance against errors made in internal processing.
In either case, it is necessary to verify that the proposed identifier is authenticated as a result of processing an end-entity certificate, if certificates are exchanged in Phase 1.
Thus responders must be able to accept IKE traffic from a UDP source port other than , and must reply to that port. Care must be taken to avoid unpredictable behavior during re-keys. As a result, the traffic from the responder could be forwarded to the incorrect initiator due to the SPI conflict in the NAT device i.
Some applications have addressing information embedded in to the payload of the IP packet. Once that entry is installed on the NAT device, traffic can be forwarded in both directions. However, until that entry is installed, traffic received in other directions i. Therefore, translating the source or destination address with NAT can cause these checksum calculations after NAT processing.
This phase is commonly referred to as "NAT Detect. NAT-D payload consists of an address and a hash. Each peer typically sends two NAT-D payloads to the other in main mode MM3 and MM4 —one for the destination address followed by another for the source address.
When NAT-D payloads are sent between each peer, the hashes are verified at the remote end. If the hash values match, then it can safely be determined that NAT does not exist. If the hash values do not match, then it can safely be determined that NAT does exist.
In Figure , inside source address translation is being performed by the PIX. Cisco IOS releases This effectively enables a NAT device in the crypto path to use IPsec SPIs to build its translation table without encountering the translation and forwarding issues caused by overlapping SPIs discussed earlier in this chapter. Asked 7 years, 11 months ago. Active 7 years, 11 months ago. Viewed 3k times. Does it right? Improve this question. Community Bot 1. Bush Bush 4 4 silver badges 8 8 bronze badges.
Add a comment.
0コメント