This feature is one of the STP enhancements that Cisco created. This feature enhances switched network reliability, manageability, and security. Prerequisites There are no specific requirements for this document. Components Used This document is not restricted to specific software and hardware versions. Feature Description The standard STP does not provide any means for the network administrator to securely enforce the topology of the switched Layer 2 L2 network.
|Published (Last):||23 December 2011|
|PDF File Size:||7.96 Mb|
|ePub File Size:||14.59 Mb|
|Price:||Free* [*Free Regsitration Required]|
Full Copyright Statement. One very popular use of VPNs is to provide telecommuter access to the corporate Intranet. This document describes known incompatibilities between NAT and IPsec, and describes the requirements for addressing them. Please note that the requirements specified in this document are to be used in evaluating protocol submissions.
As such, the requirements language refers to capabilities of these protocols; the protocol documents will specify whether these features are required, recommended, or optional. For example, requiring that a protocol support confidentiality is not the same thing as requiring that all protocol traffic be encrypted.
These incompatibilities will therefore be present in any NA P T device. Included in this category are problems in handling inbound or outbound fragments. However, since the implementation problems appear to be wide spread, they need to be taken into account in a NA P T traversal solution. Ironically, this "helper" functionality creates further incompatibilities, making an already difficult problem harder to solve. While IPsec traversal "helper" functionality is not present in all NA P Ts, these features are becoming sufficiently popular that they also need to be taken into account in a NA P T traversal solution.
Since the AH header incorporates the IP source and destination addresses in the keyed message integrity check, NAT or reverse NAT devices making changes to address fields will invalidate the message integrity check. TCP and UDP checksums have a dependency on the IP source and destination addresses through inclusion of the "pseudo-header" in the calculation.
As a result, where checksums are calculated and checked upon receipt, they will be invalidated by passage through a NAT or reverse NAT device. Thus, checksum verification only provides assurance against errors made in internal processing. In either case, it is necessary to verify that the proposed identifier is authenticated as a result of processing an end-entity certificate, if certificates are exchanged in Phase 1.
Thus responders must be able to accept IKE traffic from a UDP source port other than , and must reply to that port. Care must be taken to avoid unpredictable behavior during re-keys. If the floated source port is not used as the destination port for the re-key, the NAT may not be able to send the re-key packets to the correct destination. The responder could then send packets down the wrong IPsec SA. This occurs because to the responder, the IPsec SAs appear to be equivalent, since they exist between the same endpoints and can be used to pass the same traffic.
However, since the outgoing and incoming SPIs are chosen independently, there is no way for the NAT to determine what incoming SPI corresponds to what destination host merely by inspecting outgoing traffic. Note that this is not an incompatibility with IPsec per se, but rather with the way it is typically implemented. It is also possible for the receiving host to allocate a unique SPI to each unicast Security Association.
In this case, the Destination IP Address need only be checked to see if it is "any valid unicast IP for this host", not checked to see if it is the specific Destination IP address used by the sending host. Using this technique, the NA P T can be assured of a low but non-zero chance of forwarding packets to the wrong internal host, even when two or more hosts establish SAs with the same external host. To address this issue, it is necessary to install ALGs on the host or security gateway that can operate on application traffic prior to IPsec encapsulation and after IPsec decapsulation.
NA P Ts often require an initial outbound packet to flow through them in order to create an inbound mapping state. Thus, even where IKE packets can be correctly translated, the translation state may be removed prematurely. However, proper translation of outgoing packets that are already fragmented is difficult and most NAPTs do not handle this correctly.
As noted in Section 6. Since the destination host relies on the fragmentation identifier and fragment offset for reassembly, the result will be data corruption. Few NA P Ts protect against identifier collisions by supporting identifier translation. Since a fragment can be as small as 68 octets [RFC], there is no guarantee that the first fragment will contain a complete TCP header.
Since fragments can be reordered, and IP addresses can be embedded and possibly even split between fragments, the NA P T will need to perform reassembly prior to completing the translation. Few NA P Ts support this. Since fragments can be reordered, the headers to a given fragment identifier may not be known if a subsequent fragment arrives prior to the initial one, and the headers may be split between fragments.
As a result, the NAPT may need to perform reassembly prior to completing the translation. Few NAPTs support this. However, it is possible for the IPsec or IKE headers to be split between fragments, so that reassembly may still be required. As with source-port de-multiplexing, IKE cookie de-multiplexing results in problems with re-keying, since Phase 1 re-keys typically will not use the same cookies as the earlier traffic.
In order to enable deployment in the short term, it is necessary for the solution to work with existing router and NA P T products within the deployed infrastructure. Telecommuters may use the same private IP address, each behind their own NA P T, or many telecommuters may reside on a private network behind the same NA P T, each with their own unique private address, connecting to the same VPN gateway.
In this design, IPsec security gateways connecting portions of the corporate network may be resident in the DMZ and have private addresses on their external DMZ interfaces. For example, NA P Ts may be deployed within branch offices connecting to the corporate network, with an additional NA P T connecting the corporate network to the Internet.
SCTP supports multi- homing. Recently [AddIP] has been proposed which allows the modification of the IP address once an association is established. This implies, for example, that dynamic allocation of IKE or IPsec destination ports is to be avoided. In this situation, it is not possible to assume that only a single host is communicating with a given destination at a time.
Note that while this implies initiation of IKE to port , there is no requirement for a specific source port, so that UDP source port may or may not be used. For example, an acceptable solution must demonstrate that it introduces no new denial of service or spoofing vulnerabilities. However, the requirements for successful traversal are sufficiently limited so that a more general solution is needed: 1 IPsec ESP.
IPsec ESP tunnels do not cover the outer IP header within the message integrity check, and so will not suffer Authentication Data invalidation due to address translation. IPsec tunnels also need not be concerned about checksum invalidation.
Most current IPsec tunnel mode implementations do not perform source address validation so that incompatibilities between IKE identifiers and source addresses will not be detected. This introduces security vulnerabilities as described in Section 5.
IPsec tunnel mode clients can negotiate "any to any" SPDs, which are not invalidated by address translation. This effectively precludes use of SPDs for the filtering of allowed tunnel traffic. Since the NAT will not need to arbitrate between competing clients, there is also no risk of re-key mis-translation, or improper incoming SPI or cookie de-multiplexing.
When certificate authentication is used, IKE fragmentation can be encountered. This can occur when certificate chains are used, or even when exchanging a single certificate if the key size, or the size of other certificate fields such as the distinguished name and other extensions , is large enough. However, when pre-shared keys are used for authentication, fragmentation is less likely.
Most VPN sessions typically maintain ongoing traffic flow during their lifetime so that UDP port mappings are less likely be removed due to inactivity. It is thus suitable for use in enterprises, as well as home networking scenarios.
As a result, interoperability with existing IPsec implementations is not assured. However, for vendors, implementation of RSIP requires a substantial fraction of the resources required for IPv6 support.
Thus, RSIP solves a "transitional" problem on a long-term time scale, which is not useful. While 6to4 is an elegant and robust solution where a single NA P T separates a client and VPN gateway, it is not universally applicable. For example, an NA P T with a private address on its external interface cannot be used by clients behind it to obtain an IPv6 prefix via 6to4.
While 6to4 requires little additional support from hosts that already support IPv6, it does require changes to NATs, which need to be upgraded to support 6to4. As a result, 6to4 may not be suitable for deployment in the short term. Security Considerations By definition, IPsec-NAT compatibility requires that hosts and routers implementing IPsec be capable of securely processing packets whose IP headers are not cryptographically protected.
A number of issues arise from this that are worth discussing. However, it should be noted that ESP with null encryption does not provide the same security properties as AH. In addition, since ESP with any transform does not protect against source address spoofing, some sort of source IP address sanity checking needs to be performed. The importance of the anti-spoofing check is not widely understood.
This ensures that the packet originates from the same address as that claimed within the original IKE Phase 1 and Phase 2 security associations. When a receiving host is behind a NAT, this check might not strictly be meaningful for unicast sessions, whereas in the Global Internet this check is important for tunnel-mode unicast sessions to prevent a spoofing attack described in [AuthSource], which can occur when access controls on the receiver depend upon the source IP address of verified ESP packets after decapsulation.
IPsec-NAT compatibility schemes should provide anti-spoofing protection if it uses source addresses for access controls. Hosts A and C may have different privileges; for example, host A might belong to an employee trusted to access much of the corporate Intranet, while C might be a contractor only authorized to access a specific web site.
If authentication and integrity checking is performed, but no anti-spoofing check verifying that the originating IP address corresponds to the SPI then host C may be allowed to reach parts of the network that are off limits.
The problem with using a single, physical path for production and management traffic is that business-related application traffic is forced to compete for the same resources as the traffic that administers, monitors, and supports the network. Management traffic makes up a significant portion of traffic, rising as network devices and servers alert management systems to issues in the network. In fact, management traffic can significantly impact application traffic, using approximately percent of available bandwidth during normal operating conditions depending on the amount of monitoring configured for the network. When problems are present within the network, management traffic and production traffic can increase to a level that significantly degrades or interrupts management and application traffic. Connecting to and repairing a problem on an offending device requires the administrator to use this same, degraded network to attempt to fix the problem. They are usually standard in many organizations.
Management Networks Wp
Which statements correctly identify the role of intermediary devices in the network? Choose three. Select the statements that are correct concerning network protocols. What are two functions of encapsulation? Choose two. What is a primary function of the trailer information added by the data link layer encapsulation? What is a PDU?
Rfc3715 IPsec-Network Address Translation (NAT) Compatibility Requirements