Download NAT - Network Address Translation Report

CMPE 209 Network Security
Network Address Translation
Submitted By: “Snoopers”
Suyou He
Thu Nguyen
Shinichi Nishiyama
Eduardo Segura
Shenal Shroff
Date: March 20, 2007
TABLE OF CONTENTS
1
INTRODUCTION..................................................................................................... 3
2
MECHANISM ........................................................................................................... 3
3
TYPES OF NAT ........................................................................................................ 3
3.1
3.2
4
SECURITY FEATURES ......................................................................................... 5
4.1
4.2
5
NAT TYPES UPON THE MAPPING CONFIGURATION................................................ 3
BEHAVIOR-NAT TYPES WITH RESPECT TO UDP-BASED BINDINGS ....................... 4
NAT AND IPSEC .................................................................................................. 5
IPSEC NAT TRANSPARENCY ................................................................................ 5
POSSIBLE ATTACKS TO NAT ............................................................................ 6
5.1
5.2
5.3
5.4
SOURCE SPOOFING ............................................................................................... 6
HOST COUNTING .................................................................................................. 6
FINGERPRINTING .................................................................................................. 6
NETWORK MAPPING ............................................................................................ 6
6
NAT PROS AND CONS ........................................................................................... 6
7
CONCLUSION ......................................................................................................... 7
8
REFERENCES .......................................................................................................... 7
1 Introduction
Network Address Translation (NAT) was deemed acceptable for a short-term solution in
RFC1631 to combat IPv4 address depletion. It allows registered public IP addresses to be
shared by several hosts on private network. Although it can be used to translate between
any two IP addresses, NAT is most often used to map IP addresses between non-routable
private and public addresses. Any computers with unregistered IP addresses must use
NAT to communicate with the rest of the world.
2
Mechanism
NAT router converts private addresses in each IP packet into legally registered public
ones. NAT is commonly supported by WAN access routers and firewalls devices. NAT
works by creating bindings between addresses. NAT router transforms only the network
part of the address, and leaves the host part intact. But if the payload carries source and
destination IP addresses, the payload of the packet must also be considered during the
translation process. NAT route updates IP checksums in IP packets, and further
regenerates TCP checksums if TCP packets transverse the NAT router.
3
Types of NAT
3.1 NAT types upon the mapping configuration
There have been classified into four types of NAT upon the mapping configuration
between private and public IP addresses: Static, Dynamic, Overloading, and Overlapping.
Static NAT: One-to-one mapping between public and private addresses. For example, the
computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110.
Dynamic NAT: One-of-multiple registered public IP addresses mapping. For example,
the computer with the IP address 192.168.32.10 will translate to the first available
address in the range from 213.18.123.100 to 213.18.123.150.
Overloading NAT: One-to-one service port of a single registered public IP address
(known also as Port Translation (PAT)). Each computer on the private network is
translated to the same IP address (213.18.123.100), but with a different port number
assignment.
Overlapping NAT: Internal address in private network to external address in public
network mapping. Both internal and external addresses are unique to private network.
For example, the internal IP range (237.16.32.xx) is also a registered range used by
another network. The NAT router translates the address to unique public address to avoid
conflicts with other networks.
3.2 Behavior-NAT types with respect to UDP-based bindings
UDP is different from TCP to traverse NAT router. There is no explicit session state
within a NAT for UDP packet exchange so that various NAT routers behave differently
upon UDP bindings. These have been classified into four types of NAT behaviors with
respect to UDP-based bindings: symmetric, full-cone, restricted-cone, port-restrictedcone.
4 Security features
4.1 NAT and IPsec
NAT makes IPsec complicated. The IPSec Authentication Header (AH) is intended to
prevent unauthorized modification, source spoofing, and man-in-the-middle attacks. NAT
modifies IP packets such that NAT cannot simply work with IPsec AH. AH produces a
keyed hash over the entire IP packet through a message digest algorithm. If any field in
the original IP packet is modified, the recipient will discard the packet with the failure of
authentication shown in the following figure.
The IPsec Encapsulating Security Payload (ESP) also employs a message digest
algorithm for packet authentication. Unlike the AH header, the IP packet header is not
accounted for the hash created by ESP. When TCP or UDP are involved in transport
mode ESP, NAT modifies the TCP packet, and recalculates the checksum used to verify
integrity. If NAT updates the TCP checksum, ESP authentication will fail. If NAT does
not modify the checksum, TCP verification will fail unless the verification is turned off
under your control. NAT tampers with end-to-end message integrity. For example,
4.2 IPsec NAT Transparency
A standard IPsec virtual private network (VPN) tunnel would not work to deliver the
IPSec packet through NAT. IPsec NAT Transparent are required to allowe remote access
users to build IPsec tunnels to home gateways, called NAT IPsec-aware. Cisco now
provides NAT IPsec-ware solution. In practice, there are a lot of issues to be solved. For
example, IPsec NAT-T is not recommended for Windows Server 2003 computers that are
behind network address translators.
5 Possible Attacks to NAT
There are four possible types of attack to NAT:
5.1 Source Spoofing
An attacker will use a fake source IP address and will inject malicious packets into the
network. All you need is one packet with external source IP, destination IP of public
NAT address and the port number. Attacker can send malicious packets and can blow
away the server.
5.2 Host Counting
An attacker can use “ID” field of IP header. The ID field of IP packets is implemented as
sequential counters. NAT boxes do not change the counters. So, by building sequences of
IDs that match within reasonable gap and time bounds, one can infer the actual number of
machines in a trace.
5.3 Fingerprinting
Every TCP/IP implementation is different. Hence, every TCP/IP stack is unique. There
are different values for TTL (Time to Live), SEQ, flags, etc. By carefully studying the
differences of these fields, it is possible to identify the OS.
5.4 Network Mapping
There are different types of technique used for mapping the network. One of the
techniques is ICMP TTL Exceeded. Attacker injects packets with low TTL values, so that
it reaches inside the NAT and then internal routers generate TTL exceeded replies.
Attacker uses these messages to carefully map the internal network.
6 NAT Pros and Cons
Pros:
 Hosts in private network can share limited public IP addresses.
 Dynamic NAT is natural firewall between private network and public
networks/Internet. A computer on an external network cannot connect to your
computer unless your computer has initiated the contact.
Cons:
 Breaks end-to-end connectivity model. Breaks certain applications based on
NAT-sensitive protocols. NAT needs to re-compute TCP checksums so that it
requires the TCP header is not encrypted. For instance, the TCP checksum field
in the TCP header cannot be modified in IPsec transport mode. Many application
protocols like FTP carry IP addresses in an application-level protocol. In this case,
an Application-Level Gateway (ALG) is required to complete the translation.
7
Conclusion
Technically, NAT is a firewall. Dynamic NAT is natural firewall between private
network and public networks/Internet. But NAT is not designed for firewall. NAT can
reuse Ipv4 addresses. Hosts in private network can share limited public IP addresses. It
also delays the deployment of IPv6. NAT breaks end-to-end connectivity model.
8
References
1. Jeff Tyson, How Network Address Translation Works
http://computer.howstuffworks.com/nat.htm
2. RFC 1631 - The IP Network Address Translator (NAT)
http://www.rfc-editor.org/rfc/rfc1631.txt
3. RFC1918 - Address Allocation for Private Internets
http://www.rfc-editor.org/rfc/rfc1918.txt
4. Lisa Phife, The Trouble with NAT
http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html
5. Geoff Huston, Anatomy: A Look Inside Network Address Translators
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_73/anatomy.html
6. RFC 3022 - Traditional IP Network Address Translator
7. RFC 3489 - STUN - Simple Traversal of UDP Through NATs
8. IPSec NAT Transparency
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/
122t13/ftipsnat.htm#1035671
9. IPSec NAT-T is not recommended for Windows Server 2003 computers that are
behind network address translators. http://support.microsoft.com/kb/885348