Portable IP Traversal Of NAT Devices.

Uploaded on:
Versatile IP depends on sending movement from the home system to the ... along the system way permits you to discover any NAT gadget between two companions and the careful area of NAT. ...
Slide 1

Versatile IP Traversal Of NAT Devices By, Vivek Nemarugommula

Slide 2

Problem Definition Mobile IP depends on sending movement from the home system to the portable hub or remote operator through IP-in-IP burrowing. IP hubs which impart from behind a NAT are reachable just through the NAT\'s open address(es). IP-in-IP burrowing does not by and large contain enough data to allow one of a kind interpretation from the basic open address(es) to the specific consideration of location of a versatile hub or remote specialist which dwells behind the NAT; specifically there are no TCP/UDP port numbers accessible for a NAT to work with.

Slide 3

Problem Illustrated

Slide 4

Problem Illustrated

Slide 5

Solutions The draft by H. Levkowetz (ipUnplugged), S. Vaarala (Netseal) discharged in April,2002, presents augmentations to the Mobile IP convention and a burrowing technique which grants portable hubs utilizing Mobile IP to work as a part of private location systems, which are isolated from general society web by NAT gadgets. Presumptions: The essential suspicion in this record is that the system permits correspondence between a UDP port picked by the versatile hub and the home specialist UDP port 434

Slide 6

Co-found consideration of location The versatile clients associate with the Home Agent at the workplace to get to the comparing hub (CN) in the home system. The versatile hub will ask for a transitory consideration of location having a place with the neighborhood switch R from a DHCP server in the went to organize. The Home Agent will find that a NAPT traversal has happened by contrasting the source IP address and the consideration of location The Mobile IP passage is then changed to incorporate a UDP header, so as to encourage traversal of the NAPT with payload datagrams between the portable hub and the journalist hub ( The source IP address in the header of the enlistment demand as got by the Home Agent, i.e., will be utilized as source IP address for the external IP header in the Mobile IP burrow seen from the Home Agent rather than the consideration of location, i.e.

Slide 8

Mobile IP Registration The versatile hub (or to be more right the portable hub virtual interface connector MN-VIA) sends a Mobile IP enlistment demand towards the Home Agent. The enrollment solicitation is sent with the UDP goal port equivalent to 434 and the UDP source port set to any picked port number. To recognize datagrams sent from various hubs in the went to arrange, the NAPT will likewise keep a state table with the consideration of location and the UDP source port number within and a recently apportioned UDP source port number on the outside of the firewall. The last UDP source port number is chosen with the goal that it is special among the sessions navigating the NAPT anytime.

Slide 9

Registration (proceeded with) The Home Agent will find the error between source IP address and consideration of location inside the enrollment demand message. Keeping in mind the end goal to ensure against caricaturing, the Home Agent will confirm the authenticator and also the time stamp of the enlistment answer. On the off chance that adequate, the Home Agent will choose a UDP port number to be utilized for the Mobile IP information way and convey it to the versatile hub as a major aspect of the enrollment answer message.

Slide 10

Registration Procedure

Slide 11

Mobile IP Payload Transfer There are two primary contrasts in the way payload exchange is performed when a NAPT is available: First of all the payload datagrams to be sent through the Mobile IP passage are required to have a UDP header in the middle of the two IP headers. The second thing is that the Home Agent is applying the source IP header of the enlistment demand, i.e. the IP location of the NAPT, as the goal IP address additionally for datagrams bound for the portable hub .

Slide 12

MIP Traffic Flow

Slide 14

IPSec NAT Transparency The IPSec NAT Transparency highlight acquaints support for IPSec movement with go through NAT or PAT focuses in the system by epitomizing IPSec parcels in a User Datagram Protocol (UDP) wrapper, which permits the bundles to traverse NAT gadgets. IKE Phase 1 Negotiation: NAT Detection IKE Phase 2 Negotiation: NAT Traversal Decision UDP Encapsulation of IPSec Packets for NAT Traversal

Slide 15

IKE Phase 1 Negotiation: NAT Detection During Internet Key Exchange (IKE) stage 1 transaction, two sorts of NAT location happen before IKE Quick Mode starts—NAT backing and NAT presence along the system way. To distinguish NAT bolster, you ought to trade the merchant recognizable proof (ID) string with the remote associate. Identifying whether NAT exists along the system way permits you to discover any NAT gadget between two associates and the accurate area of NAT. To distinguish whether a NAT gadget exists along the system way, the associates ought to send a payload with hashes of the IP address and port of both the source and goal address from every end.

Slide 16

IKE Phase 2 Negotiation: NAT Traversal Decision IKE stage 2 chooses whether or not the associates at both closures will utilize NAT traversal. Brisk Mode (QM) security affiliation (SA) payload in QM1 and QM2 is utilized to for NAT traversal transaction. Since the NAT gadget changes the IP address and port number, incompatablities amongst NAT and IPSec can be made. In this way, trading the first source address sidesteps any incompatablities.

Slide 17

UDP Encapsulation of IPSec Packets for NAT Traversal notwithstanding permitting IPSec bundles to navigate crosswise over NAT gadgets, UDP embodiment likewise addresses numerous incompatability issues amongst IPSec and NAT and PAT. Incompatability Between Fixed IKE Destination Ports and PAT—Resolved PAT changes the port location in the new UDP header for interpretation and leaves the first payload unaltered.

Slide 18

Standard IPSec Tunnel Through a NAT/PAT Point (No UDP Encapsulation)

Slide 19

IPSec Packet with UDP Encapsulation

Slide 20

Conclusions The conventional Mobile IP security systems are additionally utilized with the NAT traversal component depicted in this record. Depending on unauthenticated address data when shaping or overhauling a versatility restricting prompts a few redirection assault vulnerabilities. In giving a portable hub a component for NAT traversal of Mobile IP activity, we grow the location space where a versatile hub may work and procure consideration of locations. There are numerous similarity issues IPsec ESP and NAT which hav been determined.

Slide 21

References www. ip unplugged.com/pdf/NAPTTraversalWithMobileIP.pdf http://rfc3519.x42.com/http://www.cisco.com/univercd/cc/td/doc/item/programming/ios122/122newft/122t/122t13/ftipsnat.htm#wp1027129

View more...