CMPE 209 Network Security
Network Address Translation
Submitted By: “Snoopers”
Date: March 20, 2007
Table Of Contents
1 Introduction 3
2 Mechanism 3
3 Types of NAT 3
3.1 NAT types upon the mapping configuration 3
3.2 Behavior-NAT types with respect to UDP-based bindings 4
4 Security features 5
4.1 NAT and IPsec 5
4.2 IPsec NAT Transparency 5
5 Possible Attacks to NAT 6
5.1 Source Spoofing 6
5.2 Host Counting 6
5.3 Fingerprinting 6
5.4 Network Mapping 6
6 NAT Pros and Cons 6
7 Conclusion 7
8 References 7
Network Address Translation (NAT) was deemed acceptable for a short-term solution in RFC1631 to combat IPv4 address depletion. It allows registered public IP addresses to be shared by several hosts on private network. Although it can be used to translate between any two IP addresses, NAT is most often used to map IP addresses between non-routable private and public addresses. Any computers with unregistered IP addresses must use NAT to communicate with the rest of the world.
NAT router converts private addresses in each IP packet into legally registered public ones. NAT is commonly supported by WAN access routers and firewalls devices. NAT works by creating bindings between addresses. NAT router transforms only the network part of the address, and leaves the host part intact. But if the payload carries source and destination IP addresses, the payload of the packet must also be considered during the translation process. NAT route updates IP checksums in IP packets, and further regenerates TCP checksums if TCP packets transverse the NAT router.
3Types of NAT
3.1NAT types upon the mapping configuration
There have been classified into four types of NAT upon the mapping configuration between private and public IP addresses: Static, Dynamic, Overloading, and Overlapping.
Static NAT: One-to-one mapping between public and private addresses. For example, the computer with the IP address of 192.168.32.10 will always translate to 126.96.36.199.
Dynamic NAT: One-of-multiple registered public IP addresses mapping. For example, the computer with the IP address 192.168.32.10 will translate to the first available address in the range from 188.8.131.52 to 184.108.40.206.
Overloading NAT: One-to-one service port of a single registered public IP address (known also as Port Translation (PAT)). Each computer on the private network is translated to the same IP address (220.127.116.11), but with a different port number assignment.
Overlapping NAT: Internal address in private network to external address in public network mapping. Both internal and external addresses are unique to private network. For example, the internal IP range (237.16.32.xx) is also a registered range used by another network. The NAT router translates the address to unique public address to avoid conflicts with other networks.
UDP is different from TCP to traverse NAT router. There is no explicit session state within a NAT for UDP packet exchange so that various NAT routers behave differently upon UDP bindings. These have been classified into four types of NAT behaviors with respect to UDP-based bindings: symmetric, full-cone, restricted-cone, port-restricted-cone.
4.1NAT and IPsec
NAT makes IPsec complicated. The IPSec Authentication Header (AH) is intended to prevent unauthorized modification, source spoofing, and man-in-the-middle attacks. NAT modifies IP packets such that NAT cannot simply work with IPsec AH. AH produces a keyed hash over the entire IP packet through a message digest algorithm. If any field in the original IP packet is modified, the recipient will discard the packet with the failure of authentication shown in the following figure.
The IPsec Encapsulating Security Payload (ESP) also employs a message digest algorithm for packet authentication. Unlike the AH header, the IP packet header is not accounted for the hash created by ESP. When TCP or UDP are involved in transport mode ESP, NAT modifies the TCP packet, and recalculates the checksum used to verify integrity. If NAT updates the TCP checksum, ESP authentication will fail. If NAT does not modify the checksum, TCP verification will fail unless the verification is turned off under your control. NAT tampers with end-to-end message integrity. For example,
A standard IPsec virtual private network (VPN) tunnel would not work to deliver the IPSec packet through NAT. IPsec NAT Transparent are required to allowe remote access users to build IPsec tunnels to home gateways, called NAT IPsec-aware. Cisco now provides NAT IPsec-ware solution. In practice, there are a lot of issues to be solved. For example, IPsec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators.
There are four possible types of attack to NAT:
An attacker will use a fake source IP address and will inject malicious packets into the network. All you need is one packet with external source IP, destination IP of public NAT address and the port number. Attacker can send malicious packets and can blow away the server.
An attacker can use “ID” field of IP header. The ID field of IP packets is implemented as sequential counters. NAT boxes do not change the counters. So, by building sequences of IDs that match within reasonable gap and time bounds, one can infer the actual number of machines in a trace.
Every TCP/IP implementation is different. Hence, every TCP/IP stack is unique. There are different values for TTL (Time to Live), SEQ, flags, etc. By carefully studying the differences of these fields, it is possible to identify the OS.
There are different types of technique used for mapping the network. One of the techniques is ICMP TTL Exceeded. Attacker injects packets with low TTL values, so that it reaches inside the NAT and then internal routers generate TTL exceeded replies. Attacker uses these messages to carefully map the internal network.
6NAT Pros and Cons
Hosts in private network can share limited public IP addresses.
Dynamic NAT is natural firewall between private network and public networks/Internet. A computer on an external network cannot connect to your computer unless your computer has initiated the contact.
Breaks end-to-end connectivity model. Breaks certain applications based on NAT-sensitive protocols. NAT needs to re-compute TCP checksums so that it requires the TCP header is not encrypted. For instance, the TCP checksum field in the TCP header cannot be modified in IPsec transport mode. Many application protocols like FTP carry IP addresses in an application-level protocol. In this case, an Application-Level Gateway (ALG) is required to complete the translation.
Technically, NAT is a firewall. Dynamic NAT is natural firewall between private network and public networks/Internet. But NAT is not designed for firewall. NAT can reuse Ipv4 addresses. Hosts in private network can share limited public IP addresses. It also delays the deployment of IPv6. NAT breaks end-to-end connectivity model.
Jeff Tyson, How Network Address Translation Works http://computer.howstuffworks.com/nat.htm
RFC 1631 - The IP Network Address Translator (NAT) http://www.rfc-editor.org/rfc/rfc1631.txt
RFC1918 - Address Allocation for Private Internets
Lisa Phife, The Trouble with NAT
Geoff Huston, Anatomy: A Look Inside Network Address Translators http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-3/anatomy.html
RFC 3022 - Traditional IP Network Address Translator
RFC 3489 - STUN - Simple Traversal of UDP Through NATs
IPSec NAT Transparency http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftipsnat.htm#1035671
IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators. http://support.microsoft.com/kb/885348