draft-ietf-nat-protocol-complications-02.txt   draft-ietf-nat-protocol-complications-03.txt 
NAT Working Group Matt Holdrege NAT Working Group Matt Holdrege
INTERNET-DRAFT Lucent Technologies INTERNET-DRAFT ipVerse
Category: Informational Pyda Srisuresh Category: Informational Pyda Srisuresh
Campio Communications Campio Communications
Expires in six months March 2000 Expires in six months July 2000
Protocol Complications with the IP Network Address Translator (NAT) Protocol Complications with the IP Network Address Translator (NAT)
<draft-ietf-nat-protocol-complications-02.txt> <draft-ietf-nat-protocol-complications-03.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance This document is an Internet-Draft and is in full conformance
with all provisions of Section 10 of RFC2026. with all provisions of Section 10 of RFC2026.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet- documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as Drafts as reference material or to cite them other than as
skipping to change at page 2, line 5 skipping to change at page 2, line 5
issues with NAT in a single document. This document attempts to capture issues with NAT in a single document. This document attempts to capture
as much information as possible. We hope this coverage provides as much information as possible. We hope this coverage provides
necessary clues for applications not covered by the document. necessary clues for applications not covered by the document.
Table of Contents Table of Contents
1.0 Introduction 1.0 Introduction
2.0 Protocols which require an ALG 2.0 Protocols which require an ALG
I-D Protocol Complications with NAT March 2000 I-D Protocol Complications with NAT July 2000
3.0 Protocols which do not require an ALG 3.0 Protocols which do not require an ALG
4.0 Routing Updates 4.0 Routing Updates
5.0 Protocols which cannot work with NAT enroute 5.0 Protocols which cannot work with NAT enroute
6.0 Protocols which may have complications with NAT 6.0 Protocols which may have complications with NAT
7.0 Other issues 7.0 Other issues
skipping to change at page 2, line 41 skipping to change at page 2, line 41
Firewall. However, the ALG's that complement NAT must also be able to Firewall. However, the ALG's that complement NAT must also be able to
recompose valid data in the payload, since it must change the address recompose valid data in the payload, since it must change the address
(and perhaps port) information. This is because the application running (and perhaps port) information. This is because the application running
on a host machine is typically unaware of NAT and may populate messages on a host machine is typically unaware of NAT and may populate messages
with addressing information as required by the application protocol and with addressing information as required by the application protocol and
the addressing information may not be valid on the opposite side of the the addressing information may not be valid on the opposite side of the
NAT device. NAT device.
One problem area is when a packet contains significant IP address or One problem area is when a packet contains significant IP address or
port information in the payload of the packet rather than the header. port information in the payload of the packet rather than the header.
Network applications which use protocols that exhibit this behavior will Protocols that use one connection to establish another data flow are
have problems when a NAT device is in mid-stream. In the next section we adversely impacted by NAT. In the next section we will attempt to
will attempt to document standard protocols which have significant document standard protocols which have significant address information
address information in the payload of the packet. in the payload of the packet.
Where this document mentions NAT, it is referring to Traditional NAT Where this document mentions NAT, it is referring to Traditional NAT
rather than other NAT techniques. rather than other NAT techniques.
IP Fragmentation can be a significant problem with NAT. It is not a
protocol problem per se, however the difficulty it presents should be
examined. See draft-ietf-nat-traditional-03.txt and RFC 2663 for more
information on NAT and IP Fragmentation.
*NOTE* the authors wish to make it clear that this work is editorial in *NOTE* the authors wish to make it clear that this work is editorial in
nature. Input from the Internet society is requested in order to better nature. Input from the Internet society is requested in order to better
cover the range of applications that can be affected by NAT. This is a cover the range of applications that can be affected by NAT. This is a
work in progress. work in progress.
2.0 Protocols which require ALG's 2.0 Protocols which require ALG's
I-D Protocol Complications with NAT July 2000
2.1 Single Session based protocols 2.1 Single Session based protocols
2.1.1 RSVP 2.1.1 RSVP
RSVP is positioned in the protocol stack at the transport layer, RSVP is positioned in the protocol stack at the transport layer,
I-D Protocol Complications with NAT March 2000
operating on top of IP (either IPv4 or IPv6). However, unlike other operating on top of IP (either IPv4 or IPv6). However, unlike other
transport protocols, RSVP does not transport application data but transport protocols, RSVP does not transport application data but
instead acts like other Internet control protocols (for example, ICMP, instead acts like other Internet control protocols (for example, ICMP,
IGMP, routing protocols). RSVP messages are sent hop-by-hop between IGMP, routing protocols). RSVP messages are sent hop-by-hop between
RSVP-capable routers as raw IP datagrams using protocol number 46. It is RSVP-capable routers as raw IP datagrams using protocol number 46. It is
intended that raw IP datagrams should be used between the end systems intended that raw IP datagrams should be used between the end systems
and the first (or last) hop router. However, this may not always be and the first (or last) hop router. However, this may not always be
possible as not all systems can do raw network I/O. Because of this, it possible as not all systems can do raw network I/O. Because of this, it
is possible to encapsulate RSVP messages within UDP datagrams for end- is possible to encapsulate RSVP messages within UDP datagrams for end-
system communication. UDP-encapsulated RSVP messages are sent to either system communication. UDP-encapsulated RSVP messages are sent to either
skipping to change at page 3, line 55 skipping to change at page 4, line 4
2. RSVP provides a means, the RSVP Integrity object, to guarantee the 2. RSVP provides a means, the RSVP Integrity object, to guarantee the
integrity of RSVP messages. The problem is that because of the first integrity of RSVP messages. The problem is that because of the first
point, a NAT device must be able to change IP addresses within the RSVP point, a NAT device must be able to change IP addresses within the RSVP
messages. However, when this is done, the RSVP Integrity object is no messages. However, when this is done, the RSVP Integrity object is no
longer valid as the RSVP message has been changed. Therefore an RSVP-ALG longer valid as the RSVP message has been changed. Therefore an RSVP-ALG
will not work when the RSVP Integrity Object is used. will not work when the RSVP Integrity Object is used.
2.1.2 DNS 2.1.2 DNS
Domain Names are an issue for hosts which use local DNS servers behind a Domain Names are an issue for hosts which use local DNS servers behind a
I-D Protocol Complications with NAT July 2000
NAT device. Such servers return site specific information which may NAT device. Such servers return site specific information which may
conflict with external domain addresses. conflict with external domain addresses.
Zone transfers from private address realms to an external realm must be Zone transfers from private address realms to an external realm must be
avoided for address assignments that are not static. If primary and avoided for address assignments that are not static. If primary and
I-D Protocol Complications with NAT March 2000
backup name servers in the same private domain, zone transfers do not backup name servers in the same private domain, zone transfers do not
cross the realm and DNS_ALG support for zone transfer is not an issue. cross the realm and DNS_ALG support for zone transfer is not an issue.
CHARACTERISTICS: CHARACTERISTICS:
A. TCP/UDP based protocol. A. TCP/UDP based protocol.
B. Inverse name lookup queries embed the IP address in ASCII B. Inverse name lookup queries embed the IP address in ASCII
format. For example, a resolver that wanted to find the format. For example, a resolver that wanted to find the
hostname of an address 198.76.29.1 (externally assigned hostname of an address 198.76.29.1 (externally assigned
skipping to change at page 4, line 55 skipping to change at page 5, line 4
DNS name to address mapping for hosts in private domain should be DNS name to address mapping for hosts in private domain should be
configured on an authorititive name server within the private domain. configured on an authorititive name server within the private domain.
This server would be accessed by external and internal hosts alike for This server would be accessed by external and internal hosts alike for
name resolutions. A DNS ALG would be required to perform address to name name resolutions. A DNS ALG would be required to perform address to name
conversions on DNS queries and responses. conversions on DNS queries and responses.
Alternately, if there isn't a need for a name server within private Alternately, if there isn't a need for a name server within private
domain, private domain hosts could simply point to an external name domain, private domain hosts could simply point to an external name
server for external name lookup. No ALG is required when the name server for external name lookup. No ALG is required when the name
I-D Protocol Complications with NAT July 2000
server is located in external domain. server is located in external domain.
RFC 2694 describes a technique for a DNS ALG. RFC 2694 describes a technique for a DNS ALG.
2.1.3 SMTP 2.1.3 SMTP
I-D Protocol Complications with NAT March 2000
DESCRIPTION: SMTP is used by Internet email programs such as sendmail to DESCRIPTION: SMTP is used by Internet email programs such as sendmail to
send TCP-based email messages to well known port 25. send TCP-based email messages to well known port 25.
CHARACTERISTICS: CHARACTERISTICS:
A. SMTP is a TCP based protocol, based on a well known TCP port A. SMTP is a TCP based protocol, based on a well known TCP port
number 25. number 25.
B. In the majority of cases, mail messages do not contain reference B. In the majority of cases, mail messages do not contain reference
to private IP addresses or links to content data via names to private IP addresses or links to content data via names
skipping to change at page 5, line 56 skipping to change at page 6, line 5
must be redirected to the private host from its externally assigned must be redirected to the private host from its externally assigned
address. No special mapping is required when Mail server is located in address. No special mapping is required when Mail server is located in
external domain. external domain.
The ability to trace the mail route may be hampered or prevented by NAT. The ability to trace the mail route may be hampered or prevented by NAT.
This can cause problems when debugging mail problems or tracking down This can cause problems when debugging mail problems or tracking down
abusive users of mail. abusive users of mail.
ADDITIONAL INFO: RFC 821. ADDITIONAL INFO: RFC 821.
I-D Protocol Complications with NAT July 2000
2.1.4 SIP 2.1.4 SIP
Description: SIP can run on either TCP or UDP, but by default on the Description: SIP can run on either TCP or UDP, but by default on the
same port; same port;
5060. 5060.
I-D Protocol Complications with NAT March 2000
When used with UDP, a response to a SIP request does not go to the When used with UDP, a response to a SIP request does not go to the
source port the request came from. Rather the SIP message contains the source port the request came from. Rather the SIP message contains the
port number the response should be sent to. SIP makes use of ICMP port port number the response should be sent to. SIP makes use of ICMP port
unreachable errors in the response to request transmissions. Request unreachable errors in the response to request transmissions. Request
messages are usually sent on the connected socket. If responses are sent messages are usually sent on the connected socket. If responses are sent
to the source port in the request, each thread handling a request would to the source port in the request, each thread handling a request would
have to listen on the socket it sent the request on. However, by have to listen on the socket it sent the request on. However, by
allowing responses to come to a single port, a single thread can be used allowing responses to come to a single port, a single thread can be used
for listening instead. for listening instead.
skipping to change at page 6, line 47 skipping to change at page 6, line 53
Such a proxy would have a locally specific configuration. Such a proxy would have a locally specific configuration.
2.1.5 RealAudio 2.1.5 RealAudio
DESCRIPTION: In its default mode, clients (say, in a private domain) DESCRIPTION: In its default mode, clients (say, in a private domain)
access TCP port 7070 to initiate conversation with a real-audio server access TCP port 7070 to initiate conversation with a real-audio server
(say, located an external domain) and to exchange control messages (say, located an external domain) and to exchange control messages
during playback (ex: pausing or stopping the audio stream). during playback (ex: pausing or stopping the audio stream).
The actual audio traffic is carried on incoming UDP based packets The actual audio traffic is carried on incoming UDP based packets
(originated from the server) directed to ports in the range of 6970- (originated from the server) directed to ports in the range of
7170. 6970-7170.
CHARACTERISTICS: CHARACTERISTICS:
A. Real Audio has a TCP control session in one direction directed A. Real Audio has a TCP control session in one direction directed
to a well-known port (7070) and the UDP based audio session in to a well-known port (7070) and the UDP based audio session in
the opposite direction. the opposite direction.
I-D Protocol Complications with NAT July 2000
B. Audio session parameters are embedded in the TCP control B. Audio session parameters are embedded in the TCP control
session as byte stream(?) session as byte stream(?)
CONFIGURATION CONFIGURATION
I-D Protocol Complications with NAT March 2000
You could have an ALG examine the TCP traffic to determine the audio You could have an ALG examine the TCP traffic to determine the audio
session parameters and selectively enable inbound UDP sessions for the session parameters and selectively enable inbound UDP sessions for the
ports agreed upon in the TCP control session. Alternately, the ALG ports agreed upon in the TCP control session. Alternately, the ALG
could simply redirect all inbound UDP sessions directed to ports could simply redirect all inbound UDP sessions directed to ports
6970-7170 to the client address in the private domain. 6970-7170 to the client address in the private domain.
For bi-Directional NAT, you will not need an ALG. Bi-directional NAT For bi-Directional NAT, you will not need an ALG. Bi-directional NAT
could simply treat each of the TCP and UDP sessions as 2 unrelated could simply treat each of the TCP and UDP sessions as 2 unrelated
sessions and simply perform IP and TCP/UDP header level translations. sessions and simply perform IP and TCP/UDP header level translations.
skipping to change at page 7, line 50 skipping to change at page 7, line 55
Note, the above issue with ASCII encoded address and port can occur with Note, the above issue with ASCII encoded address and port can occur with
other applications as well. Changing these numbers can change the size other applications as well. Changing these numbers can change the size
of the overall packet. In rare cases, increasing the size of the packet of the overall packet. In rare cases, increasing the size of the packet
could cause it to exceed the MTU of a given transport link. The packet could cause it to exceed the MTU of a given transport link. The packet
would then have to be fragmented which could affect performance. Or if would then have to be fragmented which could affect performance. Or if
the packet has the DF bit set, it would be ICMP rejected and the the packet has the DF bit set, it would be ICMP rejected and the
originating host would then perform Path MTU Discovery. This could also originating host would then perform Path MTU Discovery. This could also
have an adverse effect on performance. have an adverse effect on performance.
If the PROT command is used to secure the command channel, it will be
impossible for an ALG to update the IP addresses in the command
exchange.
I-D Protocol Complications with NAT July 2000
Finally, section 4 of RFC 2428 describes how a new FTP port command
(EPSV) can be used to put a connection on a fast path through NAT.
2.2.2 H.323 2.2.2 H.323
H.323 is complex, uses dynamic ports, and includes multiple UDP streams. H.323 is complex, uses dynamic ports, and includes multiple UDP streams.
Here is a summary of the relevant issues: Here is a summary of the relevant issues:
An H.323 call is made up of many different simultaneous connections. At An H.323 call is made up of many different simultaneous connections. At
least two of the connections are TCP. For an audio-only conference, least two of the connections are TCP. For an audio-only conference,
there may be up to 4 different UDP 'connections' made. there may be up to 4 different UDP 'connections' made.
I-D Protocol Complications with NAT March 2000
All connections except one are made to ephemeral (dynamic) ports. All connections except one are made to ephemeral (dynamic) ports.
Calls can be initiated from the private as well as the external domain. Calls can be initiated from the private as well as the external domain.
For conferencing to be useful, external users need to be able to For conferencing to be useful, external users need to be able to
establish calls directly with internal users' desktop systems. establish calls directly with internal users' desktop systems.
The addresses and port numbers are exchanged within the data stream of The addresses and port numbers are exchanged within the data stream of
the 'next higher' connection. For example, the port number for the H.245 the 'next higher' connection. For example, the port number for the H.245
connection is established within the Q.931 data stream. (This makes it connection is established within the Q.931 data stream. (This makes it
particularly difficult for the ALG, which will be required to modify the particularly difficult for the ALG, which will be required to modify the
skipping to change at page 8, line 49 skipping to change at page 9, line 4
User A User B User A User B
A establishes connection to B on well- A establishes connection to B on well-
known Q.931 port (1720) known Q.931 port (1720)
-----------------------------------------------> ----------------------------------------------->
Q.931 Setup caller address = 88.88.88.88 Q.931 Setup caller address = 88.88.88.88
caller port = 1120 caller port = 1120
callee address = 99.99.99.99 callee address = 99.99.99.99
callee port = 1720 callee port = 1720
I-D Protocol Complications with NAT July 2000
<----------------------------------------------- <-----------------------------------------------
Q.931 Alerting Q.931 Alerting
<----------------------------------------------- <-----------------------------------------------
Q.931 Connect H.245 address = 99.99.99.99 Q.931 Connect H.245 address = 99.99.99.99
H.245 port = 1092 H.245 port = 1092
User A establishes connection to User B at User A establishes connection to User B at
99.99.99.99, port 1092 99.99.99.99, port 1092
<----------------------------------------------> <---------------------------------------------->
Several H.245 messages are exchanged (Terminal Several H.245 messages are exchanged (Terminal
Capability Set, Master Slave Determination and Capability Set, Master Slave Determination and
I-D Protocol Complications with NAT March 2000
their respective ACKs) their respective ACKs)
<----------------------------------------------- <-----------------------------------------------
H.245 Open Logical Channel, channel = 257 H.245 Open Logical Channel, channel = 257
RTCP address = 99.99.99.99 RTCP address = 99.99.99.99
RTCP port = 1093 RTCP port = 1093
-----------------------------------------------> ----------------------------------------------->
H.245 Open Logical Channel Ack, channel = 257 H.245 Open Logical Channel Ack, channel = 257
RTP address = 88.88.88.88 RTP address = 88.88.88.88
RTP port = 2002 RTP port = 2002
skipping to change at page 9, line 43 skipping to change at page 9, line 55
Also note that if an H.323 Gateway resided inside a NAT boundary, the Also note that if an H.323 Gateway resided inside a NAT boundary, the
ALG would have to be cognizant of the various gateway discovery schemes ALG would have to be cognizant of the various gateway discovery schemes
and adapt to those schemes as well. Or if just the H.323 host/terminal and adapt to those schemes as well. Or if just the H.323 host/terminal
was inside the NAT boundary and tried to register with a Gatekeeper, the was inside the NAT boundary and tried to register with a Gatekeeper, the
IP information in the registration messages would have to be translated IP information in the registration messages would have to be translated
by NAT. by NAT.
3.0 Applications which do not require ALG's 3.0 Applications which do not require ALG's
3.1 X-Windows: 3.1 The X-Windowing System/Protocol:
DESCRIPTION: These applications are TCP based. However, the client- DESCRIPTION: These applications are TCP based. However, the client-
server relationship with these applications is reverse compared to most server relationship with these applications is reverse compared to most
other applications. The X-server or Open-windows server is the other applications. The X-server or Open-windows server is the
I-D Protocol Complications with NAT July 2000
display/mouse/keyboard unit (i.e., the one that controls the actual display/mouse/keyboard unit (i.e., the one that controls the actual
Windows interface). The clients are the application programs driving the Windows interface). The clients are the application programs driving the
Windows interface. Windows interface.
Some machines run multiple X-Windows servers on the same machine. The Some machines run multiple X-Windows servers on the same machine. The
first X-windows server is at TCP port 6000. The first Open Windows first X-windows server is at TCP port 6000. The first Open Windows
server can be at port 6000 or port 2000 (more flexible). We will refer server can be at port 6000 or port 2000 (more flexible). We will refer
X-windows mainly for illustration purposes here. X-windows mainly for illustration purposes here.
On a UNIX system, the csh DISPLAY command "setenv DISPLAY <hostname>:n", On a UNIX system, the csh DISPLAY command "setenv DISPLAY <hostname>:n",
where n>= 0, is used to tell clients to contact X server on <hostname> where n>= 0, is used to tell clients to contact X server on <hostname>
on TCP port (6000+n). on TCP port (6000+n).
I-D Protocol Complications with NAT March 2000
A common use of this application is people dialing in to corporate A common use of this application is people dialing in to corporate
offices from their X terminals at home. offices from their X terminals at home.
CHARACTERISTICS: CHARACTERISTICS:
A. X-Windows is a TCP based protocol, with the server A. X-Windows is a TCP based protocol, with the server
servicing TCP ports in the range of 6000 - 6000+n. servicing TCP ports in the range of 6000 - 6000+n.
Open-Windows is also a TCP based protocol, with the server Open-Windows is also a TCP based protocol, with the server
servicing TCP ports in the range of 6000 - 6000+n or servicing TCP ports in the range of 6000 - 6000+n or
2000 - 2000+n. 2000 - 2000+n.
B. The X-Windows applications are not expected to contain B. The X-Windows applications are not expected to contain
reference to private IP addresses or links to content reference to private IP addresses or links to content
data via names that are not visible to the outside. All data via names that are not visible to the outside. All
the information required for Client-Server communication the information required for Client-Server communication
is in the IP and TCP headers. is in the IP and TCP headers.
CONFIGURATION ISSUES:
When X-Windows server (i.e., the machine that displays the X-Windows on When X-Windows server (i.e., the machine that displays the X-Windows on
its console) runs in a private domain, we need to allow inbound X-server its console) runs in a private domain, we need to allow inbound X-server
access for the X terminals at home. I.e., Users that need to provide X- access for the X terminals at home. I.e., Users that need to provide X-
terminal access must have inbound access permissions. This can be done terminal access must have inbound access permissions. This can be done
statically or dynamically for private hosts. statically or dynamically for private hosts.
In case of a NAPT setup, the individual X-Windows ports namely, 6000, In case of a NAPT setup, the individual X-Windows ports namely, 6000,
6001, 6002, 6003 and so on till (6000+n) on the external address may be 6001, 6002, 6003 and so on till (6000+n) on the external address may be
statically redirected to different hosts running X-server. statically redirected to different hosts running X-server.
For Example, you could redirect inbound TCP sessions to <External For Example, you could redirect inbound TCP sessions to <External
address>:6000 to <private Host A>, sessions to <External Address>:6001 address>:6000 to <private Host A>, sessions to <External Address>:6001
to <private Host B> and so on. to <private Host B> and so on.
WHAT BREAKS: Accessing more X-servers than are configured. Telnet transmits IP addresses from the client to the server for the
purposes of setting the DISPLAY variable. When set, the DISPLAY variable
is used for subsequent connections from X client on the host to an X
server on the workstation.
When START_TLS is used there may be client certificate verification
problems caused by NAT depending on the information provided in the
certificate.
I-D Protocol Complications with NAT July 2000
Xauth methods other than MIT-MAGIC-COOKIE-1 may prevent NAT from
altering the IP addresses of the X session.
Activision Games Activision Games
DESCRIPTION: The goal of Activision Games is to work transparently DESCRIPTION: The goal of Activision Games is to work transparently
through traditional NAT devices. As such, the protocol described is through traditional NAT devices. As such, the protocol described is
intended to be NAT friendly so game players within a private domain can intended to be NAT friendly so game players within a private domain can
play with other players in the same domain or external domain. play with other players in the same domain or external domain.
All peers are somehow informed of each others' public and private All peers are somehow informed of each others' public and private
addresses, and each client opens up symmetrical direct connections to addresses, and each client opens up symmetrical direct connections to
each other and use whichever address (private or external) works first. each other and use whichever address (private or external) works first.
Now, the clients can have a session directly with other clients directly Now, the clients can have a session directly with other clients directly
(or) they can have session with other clients via the gaming server. (or) they can have session with other clients via the gaming server.
CHARACTERISTICS: CHARACTERISTICS:
A. Activision gaming protocol is proprietary and is based on UDP. The A. Activision gaming protocol is proprietary and is based on UDP. The
I-D Protocol Complications with NAT March 2000
server uses UDP port no. 21157. server uses UDP port no. 21157.
B. The protocol is designed with keeping NAT and NAPT in mind. The game B. The protocol is designed with keeping NAT and NAPT in mind. The game
players can be within the same private domain, in a combination of players can be within the same private domain, in a combination of
multiple private domains and external domain. multiple private domains and external domain.
C. The key is to allow the reuse of the tuple of the same (global C. The key is to allow the reuse of the tuple of the same (global
address, assigned UDP port) for initial connection to the game server address, assigned UDP port) for initial connection to the game server
(helper) and the subsequent connection to the client. A game player is (helper) and the subsequent connection to the client. A game player is
recognized by one of (private address, UDP port) or (Assigned global recognized by one of (private address, UDP port) or (Assigned global
skipping to change at page 11, line 38 skipping to change at page 12, line 5
connections on the same assigned global address/port. connections on the same assigned global address/port.
ADDITIONAL INFO: ADDITIONAL INFO:
http://www.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat/97.html http://www.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat/97.html
http://newjersey1.activision.com/anet2 http://newjersey1.activision.com/anet2
http://california3.activision.com/anet2 http://california3.activision.com/anet2
4.0 ROUTING UPDATES: 4.0 ROUTING UPDATES:
I-D Protocol Complications with NAT July 2000
Routing advertisement varies considerably based on the NAT flavor in Routing advertisement varies considerably based on the NAT flavor in
use. A traditional-NAT and bi-directional-NAT may advertise untranslated use. A traditional-NAT and bi-directional-NAT may advertise untranslated
external routes to the private realm. However, a Twice-NAT device must external routes to the private realm. However, a Twice-NAT device must
translate external routes (into their private realm address blocks), if translate external routes (into their private realm address blocks), if
it chooses to advertise those routes into private realm. it chooses to advertise those routes into private realm.
All flavors of NAT must refrain from advertising private realm routes All flavors of NAT must refrain from advertising private realm routes
into external realms. Instead, every NAT device must advertise (or be into external realms. Instead, every NAT device must advertise (or be
made apparent through static configuration of neighboring routers or made apparent through static configuration of neighboring routers or
some other means) the external address block it uses for mapping private some other means) the external address block it uses for mapping private
realm addresses. realm addresses.
5.0 Applications which cannot work with NAT enroute 5.0 Applications which cannot work with NAT enroute
5.1 IPsec 5.1 IPsec
Another class of problems with NAT is end-to-end security of packets. Another class of problems with NAT is end-to-end security of packets.
The IPsec AH standard [RFC 1826] is explicitly intended to detect what The IPsec AH standard [RFC 1826] is explicitly intended to detect what
NAT is good at. That is altering the header of the packet. So when NAT NAT is good at i.e. altering the header of the packet. So when NAT
I-D Protocol Complications with NAT March 2000
alters the address information in the header of the packet, the alters the address information in the header of the packet, the
destination host receives the altered packet and begins digesting the AH destination host receives the altered packet and begins digesting the AH
message. The AH routines at this host will invalidate the packet since message. The AH routines at this host will invalidate the packet since
the contents of the headers have been altered. Depending on the the contents of the headers have been altered. Depending on the
configuration of the end host, the packet could be simply dropped, or configuration of the end host, the packet could be simply dropped, or
higher layer security activities could be started. higher layer security activities could be started.
Other IPsec protocols with NAT complications: Other IPsec protocols with NAT complications:
ESP: Encrypts IP payload. In the case of TCP/UDP packets, this includes ESP: Encrypts IP payload. In the case of TCP/UDP packets, this includes
checksumbased on source and destination IP addresses. When any of these checksumbased on source and destination IP addresses. When any of these
IP addresses are changed, the corresponding TCP/UDP checksum must also IP addresses are changed, the corresponding TCP/UDP checksum must also
be updated by NAT. As a result, TCP/UDP packets encyrpted using be updated by NAT. As a result, TCP/UDP packets encyrpted using
transport mode ESP cannot traverse a NAT device. transport mode ESP cannot traverse a NAT device. ESP tunnel mode can
work through NAT and ESP can work if TCP/UDP checksums are turned off or
ignored by the receiver.
IKE: Potentially passes IP addresses during both Main, Aggressive and IKE: Potentially passes IP addresses during both Main, Aggressive and
Quick Modes. In order for a negotiation to correctly pass through a NAT, Quick Modes. In order for a negotiation to correctly pass through a NAT,
these payloads would need to be modified. However, these payloads are these payloads would need to be modified. However, these payloads are
often protected by hash or obscured by encryption. often protected by hash or obscured by encryption. Because of IKE
rekeying behavior, it is necessary for implementations to float their
IKE source port in order to enable NAT to demux incoming rekeys which
may not use the same cookies as earlier traffic.
5.2 Kerberos
Kerberos tickets are encrypted. Therefore, an ALG cannot work. The
ticket contains a list of IP addresses from which the ticket is to be
considered valid. The list is generated by the client machine, not the
KDC. If the services being accessed with Kerberos authentication are on
the public side of the NAT, then the Kerberos authentication will fail
because the IP address used by the NAT is not in the list of acceptable
I-D Protocol Complications with NAT July 2000
addresses.
6.0 Protocols which are suspected to have complications (but further 6.0 Protocols which are suspected to have complications (but further
study is required.) study is required.)
Rlogin/rsh ONC/RPC/NFS Kerberos Rlogin/rsh ONC/RPC/NFS
7.0 Other Issues 7.0 Other Issues
If IP addresses are contained in the data payload of the packet, then If IP addresses are contained in the data payload of the packet, then
NAT may make those addresses irrelevant. For example, within SNMP NAT may make those addresses irrelevant. For example, within SNMP
configuration packets, the payload may contain router configuration configuration packets, the payload may contain router configuration
items which are IP addresses. If such a packet transits NAT to another items which are IP addresses. If such a packet transits NAT to another
IP address domain they will be incorrect. Network Admins should take IP address domain they will be incorrect. Network Admins should take
care to not send such packets across NAT. The same goes for IP addresses care to not send such packets across NAT. The same goes for IP addresses
sent within emails. They will lose their meaning when sent through NAT. sent within emails. They will lose their meaning when sent through NAT.
8.0 8.0
Authors Addresses: Authors Addresses:
Matt Holdrege Matt Holdrege
Lucent Technologies ipVerse
1701 Harbor Bay Parkway 223 Ximeno Ave.
Alameda, CA 94502 Long Beach, CA 90803
Voice: (510) 769-6001 EMail: matt@ipverse.com
EMail: holdrege@lucent.com
Pyda Srisuresh Pyda Srisuresh
Campio Communications Campio Communications
630 Alder Drive 630 Alder Drive
Milpitas, CA 95035 Milpitas, CA 95035
U.S.A. U.S.A.
Voice: (408) 519-3849 Voice: (408) 519-3849
I-D Protocol Complications with NAT March 2000
EMail: srisuresh@yahoo.com EMail: srisuresh@yahoo.com
9.0 References 9.0 References
NAT RFC 2663, NAT Terminology and Considerations NAT RFC 2663, NAT Terminology and Considerations
H.323 ITU-T SG16 H.323, Intel white paper, H.323 and draft-ietf-nat-traditional-03.txt
Firewalls; Dave Chouinard, John Richardson, Milind Khare (with further
assistancefrom Jamie Jason). H.323 ITU-T SG16 H.323, Intel white paper, H.323 and Firewalls; Dave
Chouinard, John Richardson, Milind Khare (with further assistance from
Jamie Jason).
SMTP RFC 821 SMTP RFC 821
FTP RFC 959 FTP RFC 959
SIP RFC 2543 SIP RFC 2543
X-Windows RFC 1198 X-Windows RFC 1198
I-D Protocol Complications with NAT July 2000
RSVP RFC 2205 RSVP RFC 2205
RealAudio http://www.real.com/firewall/packetfil.html RealAudio http://www.real.com/firewall/packetfil.html
DNS RFC 1034, RFC 1035, RFC 2694 DNS RFC 1034, RFC 1035, RFC 2694
IPsec RFC 2411, RFC 2709 IPsec RFC 2411, RFC 2709
 End of changes. 

This html diff was produced by rfcdiff 1.25, available from http://www.levkowetz.com/ietf/tools/rfcdiff/