* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download NAT - Network Address Translation Report
Survey
Document related concepts
Multiprotocol Label Switching wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Wireless security wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Internet protocol suite wikipedia , lookup
TCP congestion control wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Airborne Networking wikipedia , lookup
Deep packet inspection wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Distributed firewall wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Transcript
CMPE 209 Network Security Network Address Translation Submitted By: “Snoopers” Suyou He Thu Nguyen Shinichi Nishiyama Eduardo Segura Shenal Shroff Date: March 20, 2007 TABLE OF CONTENTS 1 INTRODUCTION..................................................................................................... 3 2 MECHANISM ........................................................................................................... 3 3 TYPES OF NAT ........................................................................................................ 3 3.1 3.2 4 SECURITY FEATURES ......................................................................................... 5 4.1 4.2 5 NAT TYPES UPON THE MAPPING CONFIGURATION................................................ 3 BEHAVIOR-NAT TYPES WITH RESPECT TO UDP-BASED BINDINGS ....................... 4 NAT AND IPSEC .................................................................................................. 5 IPSEC NAT TRANSPARENCY ................................................................................ 5 POSSIBLE ATTACKS TO NAT ............................................................................ 6 5.1 5.2 5.3 5.4 SOURCE SPOOFING ............................................................................................... 6 HOST COUNTING .................................................................................................. 6 FINGERPRINTING .................................................................................................. 6 NETWORK MAPPING ............................................................................................ 6 6 NAT PROS AND CONS ........................................................................................... 6 7 CONCLUSION ......................................................................................................... 7 8 REFERENCES .......................................................................................................... 7 1 Introduction Network Address Translation (NAT) was deemed acceptable for a short-term solution in RFC1631 to combat IPv4 address depletion. It allows registered public IP addresses to be shared by several hosts on private network. Although it can be used to translate between any two IP addresses, NAT is most often used to map IP addresses between non-routable private and public addresses. Any computers with unregistered IP addresses must use NAT to communicate with the rest of the world. 2 Mechanism NAT router converts private addresses in each IP packet into legally registered public ones. NAT is commonly supported by WAN access routers and firewalls devices. NAT works by creating bindings between addresses. NAT router transforms only the network part of the address, and leaves the host part intact. But if the payload carries source and destination IP addresses, the payload of the packet must also be considered during the translation process. NAT route updates IP checksums in IP packets, and further regenerates TCP checksums if TCP packets transverse the NAT router. 3 Types of NAT 3.1 NAT types upon the mapping configuration There have been classified into four types of NAT upon the mapping configuration between private and public IP addresses: Static, Dynamic, Overloading, and Overlapping. Static NAT: One-to-one mapping between public and private addresses. For example, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110. Dynamic NAT: One-of-multiple registered public IP addresses mapping. For example, the computer with the IP address 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150. Overloading NAT: One-to-one service port of a single registered public IP address (known also as Port Translation (PAT)). Each computer on the private network is translated to the same IP address (213.18.123.100), but with a different port number assignment. Overlapping NAT: Internal address in private network to external address in public network mapping. Both internal and external addresses are unique to private network. For example, the internal IP range (237.16.32.xx) is also a registered range used by another network. The NAT router translates the address to unique public address to avoid conflicts with other networks. 3.2 Behavior-NAT types with respect to UDP-based bindings UDP is different from TCP to traverse NAT router. There is no explicit session state within a NAT for UDP packet exchange so that various NAT routers behave differently upon UDP bindings. These have been classified into four types of NAT behaviors with respect to UDP-based bindings: symmetric, full-cone, restricted-cone, port-restrictedcone. 4 Security features 4.1 NAT and IPsec NAT makes IPsec complicated. The IPSec Authentication Header (AH) is intended to prevent unauthorized modification, source spoofing, and man-in-the-middle attacks. NAT modifies IP packets such that NAT cannot simply work with IPsec AH. AH produces a keyed hash over the entire IP packet through a message digest algorithm. If any field in the original IP packet is modified, the recipient will discard the packet with the failure of authentication shown in the following figure. The IPsec Encapsulating Security Payload (ESP) also employs a message digest algorithm for packet authentication. Unlike the AH header, the IP packet header is not accounted for the hash created by ESP. When TCP or UDP are involved in transport mode ESP, NAT modifies the TCP packet, and recalculates the checksum used to verify integrity. If NAT updates the TCP checksum, ESP authentication will fail. If NAT does not modify the checksum, TCP verification will fail unless the verification is turned off under your control. NAT tampers with end-to-end message integrity. For example, 4.2 IPsec NAT Transparency A standard IPsec virtual private network (VPN) tunnel would not work to deliver the IPSec packet through NAT. IPsec NAT Transparent are required to allowe remote access users to build IPsec tunnels to home gateways, called NAT IPsec-aware. Cisco now provides NAT IPsec-ware solution. In practice, there are a lot of issues to be solved. For example, IPsec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators. 5 Possible Attacks to NAT There are four possible types of attack to NAT: 5.1 Source Spoofing An attacker will use a fake source IP address and will inject malicious packets into the network. All you need is one packet with external source IP, destination IP of public NAT address and the port number. Attacker can send malicious packets and can blow away the server. 5.2 Host Counting An attacker can use “ID” field of IP header. The ID field of IP packets is implemented as sequential counters. NAT boxes do not change the counters. So, by building sequences of IDs that match within reasonable gap and time bounds, one can infer the actual number of machines in a trace. 5.3 Fingerprinting Every TCP/IP implementation is different. Hence, every TCP/IP stack is unique. There are different values for TTL (Time to Live), SEQ, flags, etc. By carefully studying the differences of these fields, it is possible to identify the OS. 5.4 Network Mapping There are different types of technique used for mapping the network. One of the techniques is ICMP TTL Exceeded. Attacker injects packets with low TTL values, so that it reaches inside the NAT and then internal routers generate TTL exceeded replies. Attacker uses these messages to carefully map the internal network. 6 NAT Pros and Cons Pros: Hosts in private network can share limited public IP addresses. Dynamic NAT is natural firewall between private network and public networks/Internet. A computer on an external network cannot connect to your computer unless your computer has initiated the contact. Cons: Breaks end-to-end connectivity model. Breaks certain applications based on NAT-sensitive protocols. NAT needs to re-compute TCP checksums so that it requires the TCP header is not encrypted. For instance, the TCP checksum field in the TCP header cannot be modified in IPsec transport mode. Many application protocols like FTP carry IP addresses in an application-level protocol. In this case, an Application-Level Gateway (ALG) is required to complete the translation. 7 Conclusion Technically, NAT is a firewall. Dynamic NAT is natural firewall between private network and public networks/Internet. But NAT is not designed for firewall. NAT can reuse Ipv4 addresses. Hosts in private network can share limited public IP addresses. It also delays the deployment of IPv6. NAT breaks end-to-end connectivity model. 8 References 1. Jeff Tyson, How Network Address Translation Works http://computer.howstuffworks.com/nat.htm 2. RFC 1631 - The IP Network Address Translator (NAT) http://www.rfc-editor.org/rfc/rfc1631.txt 3. RFC1918 - Address Allocation for Private Internets http://www.rfc-editor.org/rfc/rfc1918.txt 4. Lisa Phife, The Trouble with NAT http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html 5. Geoff Huston, Anatomy: A Look Inside Network Address Translators http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_73/anatomy.html 6. RFC 3022 - Traditional IP Network Address Translator 7. RFC 3489 - STUN - Simple Traversal of UDP Through NATs 8. IPSec NAT Transparency http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/ 122t13/ftipsnat.htm#1035671 9. IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators. http://support.microsoft.com/kb/885348