[tcpm] TCP-AO: A position on NAT-T support

"Gregory M. Lebovitz" <gregory.ietf@gmail.com> Sat, 30 August 2008 01:45 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [] (localhost []) by core3.amsl.com (Postfix) with ESMTP id 6064F3A6B1D; Fri, 29 Aug 2008 18:45:54 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id AD1273A6A49 for <tcpm@core3.amsl.com>; Fri, 29 Aug 2008 18:45:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.984
X-Spam-Level: *
X-Spam-Status: No, score=1.984 tagged_above=-999 required=5 tests=[AWL=-2.784, BAYES_40=-0.185, J_CHICKENPOX_23=0.6, J_CHICKENPOX_33=0.6, TVD_STOCK1=3.753]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id v8+NA+iXtLcq for <tcpm@core3.amsl.com>; Fri, 29 Aug 2008 18:45:52 -0700 (PDT)
Received: from wa-out-1112.google.com (wa-out-1112.google.com []) by core3.amsl.com (Postfix) with ESMTP id C9D523A6B2B for <tcpm@ietf.org>; Fri, 29 Aug 2008 18:45:50 -0700 (PDT)
Received: by wa-out-1112.google.com with SMTP id k34so637262wah.25 for <tcpm@ietf.org>; Fri, 29 Aug 2008 18:45:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:x-mailer:date:to:from:subject :mime-version:content-type:message-id; bh=SALo4q75L6GSZ9ehCO2BpvKYJVs5eoO9BK6xU01D27M=; b=ccy6/D5Hxb8IA0Eoa4HwtEJIkwJMcOcyOePYXB3qv5UVw6ZBTwL1uQlmdDbqjaeaaP SNfac3Qd8hnhnHvlZsMOkbJ5FKQX6LZHiCw6JOt7NMH+iH/vEe794GB5HjUlWGDIjccP FSZONFP/3RXcwer/it6OfjDr4n6dK7HOBjnXI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=x-mailer:date:to:from:subject:mime-version:content-type:message-id; b=kuVJ6g5EJjURJcYdXRtmFudpt1HSe/bsyPzNXb6S+KXhOCUQz0ovKvVDJnwILChbtp CVdKL9WL4mGC+aSF8yEzfzlXYVYeu6gl6xFV03dkl07YbldnpPhAsBJ31Hja4GYclHz+ t96YU+clljOXcpuc3j6TQ7uDpvcPPeBBkleJM=
Received: by with SMTP id i8mr3258429wah.194.1220060753254; Fri, 29 Aug 2008 18:45:53 -0700 (PDT)
Received: from Gregory-T60.gmail.com ( []) by mx.google.com with ESMTPS id j28sm4024579waf.18.2008. (version=SSLv3 cipher=RC4-MD5); Fri, 29 Aug 2008 18:45:52 -0700 (PDT)
X-Mailer: QUALCOMM Windows Eudora Version
Date: Fri, 29 Aug 2008 18:45:48 -0700
To: tcpm@ietf.org
From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
Mime-Version: 1.0
Message-ID: <48b8a650.1cba720a.6f95.27a7@mx.google.com>
Subject: [tcpm] TCP-AO: A position on NAT-T support
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

The question about whether or not TCP-AO should be designed for 
NAT/NAPT traversal (NAT-T) has been bandied about some on the list. 
My position: we SHOULD NOT design to support NAT-T. If NAT-T is a 
requirement for an application, then TCP-AO is the wrong choice for 
authentication protection. The application will need to be tunneled 
over IPsec using IKE+ESP. The logic for this position follows.

1. NAT-T Support is an Appropriate Requirement
NATs exist. We may not want or like them, but they are there in the 
network. Applications want to fulfill the simultaneous requirements 
of being confidential and authenticated AND traversing NATs. The 
standards must allow for the apps to do both simultaneously. On its 
own, the requirement is sane and healthy.

2. Not Every Protocol MUST Fill Every Requirement
The IETF MUST give every app a way to simultaneously traverse NATs 
AND be authenticated. However, it does not necessarily follow that 
every protocol must have a way to simultaneously provide apps with 
NAT-T and authentication. As long as at least one or more protocols 
does allow a specific app to accomplish NAT-T + Authentication, we 
have succeeded. In other words, we need not burden every protocol 
with every use case. In the case of TCP connections, IKE+ESP can 
simultaneously provide NAT-T and Authentication, though at a costs of 
more processing and layering and configuration complexity.

3. Designing for NAT-T in TCP-AO without tunneling MAY be impossible
Supporting NAT-T means we design with the expectation that IP's and 
ports will be changed in flight. However, we do not relax other 
security requirements like replay protection. We need to solve for 
both inter-connection replay attacks and intra-connection replay 
attacks. In order to do this, we need to compute the integrity MAC 
across something that includes message uniqueness at time "T", and do 
so in a way that it would be almost impossible for the uniqueness to 
be duplicated at some other time T-n. Today in AO we are going to use 
Initial Sequence Numbers combined with Extended Sequence Numbers and 
a MAC over the 5 tuple to ensure uniqueness of the session. In 
essence, we use I/ESNs + src/dst IP + proto + src/dst Port as a 
"connection ID". In order to support NAT-T we must remove src/dst IP 
+ src/dst Port from this calculation, because they may change after 
NATing. What do we replace it with? After reviewing the few options 
that do not include tunneling, one concludes that a fairly large (8 
octets in ESP's case) unique Connection_ID integer is required to be 
included in the Option header, covered by the MAC, along with 
something else connection specific, like ISN. However, due to size 
constraints on TCP Option header lengths, most agree we cannot afford 
8 octets for a Connection_ID field unless we also agree to change the 
size of the Data Offset field itself in the TCP header. changing TCP 
header fields is too big a hassle to be practically considered; the 
cost-benefit analysis makes no sense in this case.

4. Tunneling Works, and a Specification Exists
If we can't change the bits in AO to allow for NAT-T directly, then 
we fall back to creating a tunneling mechanism. In a tunneling 
mechanism we MAC over the original IPs/Proto/Ports, and then we 
encapsulate all that into another header that we know will easily get 
through NATs, like UDP. We negotiate all this using a Key Management 
Protocol (KMP). This would give us something like 
APP-in-TCP-in-IP-in-FOO-in-IP. We process the MAC over the inner 
packet and its 5-tuple, and leave the outer FOO-IP untouched. And it 
works; NAT won't break things and we get integrity checking that 
allows us to leverage the 5-tuple for connection identification 
uniqueness. The downside is that the tunnel adds a processing stack 
layer above the original solution, and complexity to the overall 
configuration. The routing community has been averse to adding 
another stack above the BGP-TCP, given that processing models for 
BGP-TCP are now so well understood and so highly tuned on networking 
devices. And it has been averse to the added complexity of the 
tunneling mechanism. Should we conquer the tunneling aversion, we 
already have a specified way to do integrity checks with a NAT-T 
supporting tunneling mechanism: IKE+ESP with NULL-encryption. Since 
we have a solution to the "create-a-tunnel" problem already, we need 
not create another one.

5. Summary of Options to support NAT-T
  - Add Connection_ID field to AO and make the required change to the 
Data Offset field in the TCP header. There appears to be VERY little 
appetite for this option.
  - Tunnel the IP+TCP in something in deployments where you need 
NAT-T. In this case, employ tunnel and integrity check using IKE+ESP-NULL.

6. Recommendation:
Do nothing wrt NAT-T support in TCP-AO. Add a section to TCP-AO spec 
instructing those needing NAT-T to either tunnel in IKE + ESP-NULL, 
or re-architect to remove the NAT and use TCP-AO.



IETF-related email from
Gregory M. Lebovitz
Juniper Networks
g r e go r  y d o t  i e tf a t  g m a i l  do t c o  m 

tcpm mailing list