|
|
NAT traversal refers to an algorithm for the common problem in TCP/IP networking of establishing connections between hosts in private TCP/IP networks that use NAT devices.This problem is typically faced by developers of client-to-client networking applications, particularly in peer-to-peer and VoIP activities. NAT-T is frequently used by IPsec VPN clients in order to have ESP packets go through NAT.Many techniques exist, but no technique works in every situation since NAT behavior is not standardized. Many techniques require a public server on a well-known globally-reachable IP address. Some methods use the server only when establishing the connection (such as STUN), while others are based on relaying all the data through it (such as TURN), which adds bandwidth costs and increases latency, detrimental to conversational VoIP applications.Most NAT behavior-based techniques fail to preserve enterprise security policies and break end-to-end transparency. Enterprise security experts prefer techniques that explicitly cooperate with NAT and firewalls, allowing NAT traversal while still enabling marshalling at the NAT to enforce enterprise security policies. To that extent, the most promising IETF standards are Realm-Specific IP (RSIP) and Middlebox Communications (MIDCOM). SOCKS, as the oldest NAT control protocol, remains valid and is widely available, while Universal Plug and Play (UPnP) is attractive for home/SOHO use because it might be widely supported by vendors of small gateways. The NAT traversal problem
NAT devices allow internal networks to communicate with external networks using a limited number of external IP Addresses by changing the source address of outgoing requests and listening for replies. This leaves the internal network ill-suited to act as a server, as the NAT device has no way of determining the internal host for which incoming packets are destined. On the Internet, this problem has not typically been relevant to home users behind NAT devices, as they either do not need to act as servers or can use static NAT mappings to correlate incoming requests to internal hosts. However, applications such as P2P file sharing (such as BitTorrent or Gnutella clients) or VoIP networks (such as Skype) require clients to act like servers, thereby posing a problem for users behind NAT devices, as incoming requests can't be correlated to the proper internal host. NAT traversal and IPsec
In order for IPsec to work through a NAT, the following need to be allowed on the firewall:
Internet Key Exchange (IKE) - User Datagram Protocol (UDP) port 500IPsec NAT-T - UDP port 4500Encapsulating Security Payload (ESP) - Internet Protocol (IP) 50Often this is accomplished on home routers by enabling "IPsec Passthrough".The default behaviour of Windows XP SP2 was changed to no longer have NAT-T enabled by default, because of a rare and controversial security issue. This prevents most home users from using IPsec without making adjustments to their settings. To enable NAT-T for systems behind NATs to communicate with other systems behind NATs, the following registry key needs to be added and set to a value of 2: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec\AssumeUDPEncapsulationContextOnSendRuleIPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98.One usage of NAT-T and IPsec is to enable opportunistic encryption between systems. NAT-T allows systems behind NATs to request and establish secure connections on demand. Security issues
Related Ads
|
|