Question

It is said that IPSEC may not work with Network Address Translation (NAT) (RFC 1631). However, whether IPSEC will work with NAT depends on which mode of IPSEC and NAT we use. Suppose we use true NAT, where only IP addresses are translated (without port translation). Will IPSEC and NAT work in each of the following cases? Explain why or why not. (a) IPSEC uses \(\mathrm{AH}\) transport mode. (b) IPSEC uses \(\mathrm{AH}\) tunnel mode. (c) IPSEC uses ESP transport mode. (d) IPSEC uses ESP tunnel mode. (e) What if we use PAT (Port Address Translation), also known as Network Address/Port Translation (NAPT) in NAT, where in addition to IP addresses, port numbers will be translated to share one IP address from outside the private networ?

Short answer

AH transport mode does not work with NAT. AH and ESP tunnel modes work with NAT. ESP transport mode works with NAT. PAT affects ESP transport mode.

Step-by-step solution

- Understand the Modes

IPSEC can operate in two modes: Transport mode and Tunnel mode. It also has two protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP).

- AH Transport Mode with NAT

In AH transport mode, the original IP header is included in the integrity check. If NAT modifies the IP header, this integrity check will fail. Therefore, AH transport mode will not work with NAT.

- AH Tunnel Mode with NAT

In AH tunnel mode, the entire original IP packet, including the original header, is encapsulated within a new IP header. NAT modifies the outer IP header, but the original header remains intact inside. Thus, AH tunnel mode works with NAT.

- ESP Transport Mode with NAT

ESP in transport mode only encrypts the payload, leaving the IP header unchanged. NAT changes the IP header, but ESP does not perform integrity checks on the header. Therefore, ESP transport mode works with NAT.

- ESP Tunnel Mode with NAT

Similar to AH tunnel mode, ESP tunnel mode encapsulates the entire original IP packet. NAT modifies the outer IP header, but the inner header remains unchanged. Hence, ESP tunnel mode works with NAT.

- PAT Impact

With PAT, both the port numbers and IP addresses are translated. This affects ESP transport mode because the port number is part of the payload. Therefore, IPSEC in transport mode will generally not work with PAT. In tunnel mode, there is no impact as the entire packet is encapsulated.

Key concepts

IPSEC Modes

IPSEC (Internet Protocol Security) can operate in two distinct modes:

• Transport Mode: In this mode, only the payload or data part of the IP packet is encrypted or authenticated. The original IP header remains unchanged. This is suitable for end-to-end communication between two devices.
• Tunnel Mode: Here, the entire original IP packet is encapsulated within a new IP packet with a new IP header. This is typically used for network-to-network communication, such as between two VPN gateways.

Understanding the difference between these modes is crucial as they influence how NAT (Network Address Translation) compatibility is handled.

Network Address Translation (NAT)

NAT is a method used to remap one IP address space into another. This helps conserve global IP addresses and can hide internal network structures from external entities.

• True NAT: Translates only IP addresses without altering port numbers. This is straightforward but can run into issues with protocols sensitive to IP changes.
• Port Address Translation (PAT) or Network Address/Port Translation (NAPT): Extends NAT by translating both IP addresses and port numbers. This is often used to allow multiple devices on a local network to share a single public IP address.

Addressing how NAT interacts with different IPSEC modes is key to understanding their mutual compatibility.

Integrity Check

An integral part of IPSEC, the integrity check ensures that the data has not been tampered with during transmission. This involves creating a hash (checksum) of data before transmission, which is then verified upon receipt.

• If data is altered during transit, the hash will not match, indicating potential tampering.
• The Authentication Header (AH) protocol within IPSEC provides this integrity check by including parts of the IP header in the hashing process. This can be problematic if NAT is employed and the IP header is altered.
• Encapsulating Security Payload (ESP) can optionally include a hash for integrity but doesn't normally include IP header data.

Understanding how integrity checks operate helps clarify why certain IPSEC modes are incompatible with NAT.

Authentication Header (AH)

One of the two protocols in IPSEC, AH ensures integrity and authentication of IP packets. It does not encrypt the data but adds a header to each packet for authentication purposes.

• AH Transport Mode: The original IP header is included in the hash. If NAT modifies the IP header, the integrity check fails, causing incompatibility.
• AH Tunnel Mode: Encapsulates the original IP packet, leaving the outer IP header to be altered by NAT without affecting the inner header. This allows compatibility with NAT.

Thoroughly understanding the nuances of AH in different modes is essential when examining NAT compatibility.

Encapsulating Security Payload (ESP)

The second protocol in IPSEC, ESP provides encryption, confidentiality, and optional integrity and authentication. It can be used to encrypt the payload and any additional data.

• ESP Transport Mode: Encrypts only the data, leaving the IP header untouched. This means changes by NAT do not affect the encrypted data, allowing compatibility.
• ESP Tunnel Mode: Encapsulates and encrypts the entire original IP packet within a new IP header. NAT modifies the outer IP header, leaving the inner, encrypted packet intact. This also allows compatibility with NAT.

Understanding how ESP functions in both modes is vital for grasping its interaction with NAT.