NAT Working Group NEC USA INTERNET-DRAFT Jeffrey Lo Category: Informational K.Taniguchi Expire in six months November,1998 IP Host Network Address (and Port) Translation Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." To view the entire list of current Internet-Drafts, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Abstract Network Address Translation has become a popular technique that allows private addresses unregistered with Internet Assigned Number Authority (IANA) to be used by organizations within a private routing realm. These private addresses must not be advertised in the public Internet. Hence network address translator (NAT) are placed at the private routing realm border to translate private addresses to globally unique addresses and vice versa before packets are exchanged between the disparate routing realms. These modifications of the packet header by the NAT cause problems with the use of end-to-end security protocols such as IPSec and DNSSEC because network address translation does exactly what the security protocols are trying to prevent. Host Network Address Translation (HNAT) and Host Network Address Port Translation (NAPT), on the other hand, enable end hosts to carry out address (and port) translations before applying security algorithms. To make dynamic HNAT and HNAPT possible, three conditions are essential. First, there must exist a way for end hosts to discover the IP address of Host-NA(P)T-Server. Second, there must be a way for externally destined packets to be routed in the private domain between the Host -NA(P)T-Client and Host-NA(P)T-Server. Lastly, Host-NA(P)T-Client must be able to obtain an address (and port) binding from the Host-NA(P)T -Server dynamically. This draft aims to address these issues to a Jeffrey Lo, K.Taniguchi [page 1] Internet Draft Host Network Address (and Port) Translation November 1998 considerable extent. Methods suggested are by no means exhaustive in coverage and implementation specifics may vary from vendor to vendor. 1. Introduction NAT itself takes several flavors, including traditional NAT (basic NAT and Network Address Port Translation (NAPT)), Two-way NAT, Twin NAT, Host NAT and Host NAPT [1]. Traditional NAT only allows outbound session from private to public domains. While basic NAT uses one to one mapping at the private domain border, NAPT allows many private addresses to one global address mapping by utilizing transport level port information, e.g. TCP port and UDP port [2]. In addition to outbound session, two-way NAT also enables inbound session from public to private network. Twin NAT are used in cases when there is an overlap of address assignment between the disparate domains by changing both the source and destination fields. Host NAT and NAPT allow network address (and port) translation to be done by the Host-NA(P)T-Client hence eliminating the traditional NAT limitation of having to do the translation at the border of the private realm. By using host NAT and NAPT, communicating host are able to exercise end to end security by doing the address (and port) translation before applying security mechanism. This solves the problem of using security mechanisms such as IPSec and DNSSEC in NAT environment. Applications relaying IPv4 addresses and port information in the payload of their messages may find HNAT a valuable alternative to having application specific application-level-gateway (ALG) on the NAT. In a static HNAT and HNAPT environment, each host-NA(P)T-client needing to establish end-to-end sessions with an entity outside the private routing realm are statically assigned global addresses (and port). After performing the necessary address (and port) translation, packets are tunneled to the Host-NA(P)T-Server by encapsulating it within an internally addressed header. Host-NA(P)T-Server removes the tunneling header before forwarding the packet to the external realm. In a dynamic environment, in addition to the requirement of routing externally destined packets within the private domain which could be handled by tunneling as proposed in [1], Host-NA(P)T-Client must be able to discover IP addresses of Host-NA(P)T-Servers attached to the private realm. This information could be manually or automatically configured. A scheme has to be devised for automatic configuration to be possible. Host-NA(P)T-Client must also be able to obtain an address (and port) binding from the Host-NA(P)T-Server dynamically through a light weight protocol that enables not only address but port negotiation. We propose Dynamic Bindings Acquisition Protocol (DBAP) to serve this purpose. 2. Terminology Address Manager An entity responsible for global address and port assignment to Host- Jeffrey Lo, K.Taniguchi [page 2] Internet Draft Host Network Address (and Port) Translation November 1998 NAT-Client. The address manager also maintains a private-global address and port mapping of all bindings and other related parameters such as maximum leased time of the binds. External Entity An entity physically located within a globally unique routing realm. Global Address A globally unique address assigned by Internet Assigned Number Authority (IANA). Private Address Addresses used in a private routing realm which are not registered with IANA. Typically but not necessarily, these addresses are within the Range 10.0/8, 172.16/12 and 192.168/16 assigned by IANA. If addresses Other than the range above were used, twin NAT would have to be deployed at the border. Host-NAT-Client A host in private network that adopts an address in external realm when connecting to hosts in that realm to pursue end-to-end communication Host-NAPT-Client A host in private network that adopts an address in the external realm and port assigned by the address manager when connecting to hosts in that realm to pursue end-to-end communication Host-NAT-Server A node that is resident on both private and external realms that can facilitate routing of external realm packets within private realm. Host-NAPT-Server A node that is resident on both private and external realms that can facilitate routing of external packets within private realm. In addition, Host-NAPT-Server does one to many mapping of a global address to multiple private address by manipulating transport layer port information. Inbound Session A communication session initiated by an external entity. Outbound Session A communication session initiated by a Host-NAT-Client. 3. Overview of Dynamic HNAT In a HNAT environment where global addresses are dynamically assigned, host-NAT-clients obtain global address assignment from the address manager when communication needs to be establish with an external entity. This address manager may or may not reside on the host -NAT-server. Such a mechanism for dynamically obtaining private to Jeffrey Lo, K.Taniguchi [page 3] Internet Draft Host Network Address (and Port) Translation November 1998 global address binding is discussed in Section 5. After obtaining a global address assignment, all communications between the two entity use globally unique addresses and would requires no translation by intermediary process. Certain routing mechanism would be required to route the end-to-end packets within private realm. Such a routing is usually facilitated by the Host-NAT-Server. Two approaches are defined in [1] which are repeated here. One approach would be to embed the packet within an IP packet such that the outer packet is addressed between the Host-NAT -Client's private address and the external peer. Hence NAT router in between could provide transparent routing of the outer packet by translating the outer IP header en-route. A second approach would be to embed the end-to-end packet inside a tunnel while traversing in the private network, such that the tunnel is addressed between Host-NAT -Client's private address and a router resident on both realms. A Host-NAT-Client has the following characteristics. 1. Aware of the realm to which its peer nodes belong. 2. Assumes an address from external realm when communicating with hosts in that realm. Such an address may be assigned statically or in the case of dynamic HNAT, obtained dynamically from the address manager. 3. Route packets to external hosts using an approach amenable to Host-NAT-Server. In all cases, Host-NAT-Client will likely need to act as a tunnel end-point, capable of encapsulating end-to-end packets while forwarding and decapsulating in the return path. A Host-NAT-Server has the following characteristics. 1. May be configured with address manager to assign address from external realm to Host-NAT-Client either statically or dynamically. 2. Must be a router resident on both the private and external routing realms. 3. Must be able to provide a mechanism to route external realm packets within private realm. Of the two approaches described, the first approach requires Host-NAT-Server to be a NAT router providing transparent routing for the outer header. This approach requires the external peer to be a tunnel end point. With the second approach, a Host-NAT-Server could be any router that can be a tunnel end-point with Host-NAT-Clients. It would detunnel end-to-end packets outbound from Host-NAT-Clients and forward to external hosts. On the return path, it would locate Host-NAT-Client tunnel, based on the destination address of the end-to-end packet and encapsulate the packet in a tunnel to forward to Host-NAT-Client. Jeffrey Lo, K.Taniguchi [page 4] Internet Draft Host Network Address (and Port) Translation November 1998 4. Overview of HNAPT HNAPT is similar to HNAT by allowing Host-NAPT-Client to do network and port translation on behalf of Host-NAPT-Server. Many to one mapping is possible by allowing multiple private addresses to share a single global address, multiplexed base on transport identifiers such as TCP/UDP port numbers and ICMP Query Ids. Host-NAPT-Clients are identified by a tuple of both address and port assignment. Methods discussed in the previous section could be used to route HNAPT packets within the private routing realm. Since a combination of destination address and transport identifier are used by Host-NAPT-Server to identify Host-NAPT-Client, confidentiality provided by security mechanisms that hide the transport identifier cannot be permitted to work with HNAPT, although authentication and integrity can be attained. Host-NAPT-Client would need to be able to acquire a port or range of port binding from the Host-NAPT-Server. Such requirement could be satisfied by DBAP discussed in section 5. 5. Dynamic Binding Acquisition Protocol (DBAP) Dynamic Binding Acquisition Protocol (DBAP) provides a way for Host- NA(P)T-Client to dynamically acquire a private address to global address (and port) binding from the address manager. While Port Distribution Protocol (PDP) proposed in [4] solves the issue of dynamic port assignment, the scheme focuses mainly on small-scale implementation of NAT where only a single global unique address is managed by the NAT device. This IP address is also assumed to be static or not to change frequently. Hence there is no way to resolve unique address assignment using PEP, which is fundamental when more than one global address is managed by the address manager. Hence DBAP is introduced as a more generic protocol that enables both dynamic address and port assignment. DBAP request and response could be carried as ICMP type or over TCP or UDP. Six message types are defined at this moment. More message types and functionality will be introduced as the scheme progresses toward a more mature stage of development. Extension of DBAP to Twin NAT environment will be studied and added in Later version of Internet Draft. The table below describes the direction of the message : Message Type Direction Assign Request Host-NAT-Client -> Host-NAT-Server Assign Response Host-NAT-Server -> Host-NAT-Client Free Request Host-NAT-Client -> Host-NAT-Server Free Response Host-NAT-Server -> Host-NAT-Client ERROR Response Host-NAT-Server -> Host-NAT-Client End Notification Host-NAT-Server -> Host-NAT-Client Jeffrey Lo, K.Taniguchi [page 5] Internet Draft Host Network Address (and Port) Translation November 1998 5.1 ASSIGN REQUEST Assign Request is used by Host-NA(P)T-Client for requesting a global address (and port) assignments from the Address Manager. In cases when multiple global addresses are required, multiple assign request each with a different BindID [5] must be sent. If an ASSIGN RESPONSE corresponding to an ASSIGN REQUEST is not received from the Host-NA(P)T-Server, Host-NA(P)T-Client may issue another ASSIGN REQUEST with the same BindID after a default timeout, the ASSIGN-WAIT time. Host-NA(P)T-Server receiving more than one successful ASSIGN REQUEST with the same BINDID should discard the subsequent requests and response with ASSIGN RESPONSE. Format of the message is shown below. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | BindID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num. of Ports | Lowest Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global IP Address Assigned | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Max. Lease Time | Unused | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ASSIGN REQUEST Format Type : to be defined Code : 0 Checksum : 16-bit 1's complement of the 1's complement sum of the entire request. The checksum itself is set to 0 during computation. BindID : A randomly generated value in the range 0x1 to 0xFFFFFFFF by Host-NA(P)T-Client during first ASSIGN REQUEST pertaining to a BIND. This value should be included in every DBAP exchanged pertaining to that BIND and would be maintained by the Host -NAT-Server as a binding identifier. Num. of Port : Number of port requested. This field is 0 when no port Translation is used. Lowest Port : Must be set to 0 Global IP Address Assigned : Must be set to 0 MaxLeaseTime : Maximum time interval in second that Host-NAT-Client wishes the Host-NAT-Server to reserve the BIND. This value should be 0 if it is not used. Unused : Must be set to 0. Jeffrey Lo, K.Taniguchi [page 6] Internet Draft Host Network Address (and Port) Translation November 1998 5.2 ASSIGN RESPONSE ASSIGN RESPONSE is used to inform requesting Host-NA(P)T-Client of the newly assigned global address, port and other parameters related to the assignment. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | BindID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num. of Ports | Lowest Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global IP Address Assigned | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Max. Lease Time | Unused | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ASSIGN RESPONSE Format Type : to be defined Code : 1 Checksum : 16-bit 1's complement of the 1's complement sum of the entire request. The checksum itself is set to 0 during computation. BindID : BINDID of the ASSIGN REQUEST that this response corresponds to. Num. of Ports : Total number of ports allocated to the host, when no port translation is used, this field must be zero. Lowest Port : Lowest port number allocated in the block, when no port translation is used, this field must be zero. Global IP Address Assigned : This field contains the global IP address assigned by the NAT device. Even if only one global address is managed by the Host -NA(P)T-Server, this field must be filled with that address. MaxLeaseTime : Maximum time interval Host-NAT-Server allocates for this BIND. This value should be 0 if it is not used. Unused : Must be 0 In case of port translation, Address manager is free to allocate a number of port less than that requested by Host-NAT-Client. At the same time, Host-NAT-Server is free to allocate a smaller lease time than that requested. 5.3 FREE REQUEST FREE REQUEST is used by Host-NAT-Client to free an address or port assignment. If a FREE RESPONSE corresponding to a FREE REQUEST is not received from the Host-NA(P)T-Server, Host-NA(P)T-Client may issue Jeffrey Lo, K.Taniguchi [page 7] Internet Draft Host Network Address (and Port) Translation November 1998 another FREE REQUEST with the same BindID, address and port information after a default timeout, the FREE-WAIT time. Host-NA(P)T-Server receiving a valid FREE REQUEST for a bind should convert the bind to FIN-WAIT state and wait for a FIN-WAIT time interval before releasing the bind. Host-NA(P)T-Server receiving more than one FREE REQUEST with the same BINDID, address and port information during the FIN-WAIT interval should discard the subsequent requests and reply with FREE RESPONSE. FIN-WAIT interval should be greater than FREE-WAIT interval. Host-NAPT-Clients are able to free a subset of the port range reserved. Port ranges not freed should be freed by subsequent FREE REQUEST or would be deleted when Maximum Lease Time elapses. If Host-NAT-Clients try to free a port range that exceeds the range of the bind, Host-NAT -Server must return ERROR RESPONSE with error code Incorrect Port Range and keeps the bind intact. Although BDAP does support subset port range release, we do not recommend this practice since it would greatly complicate Host-NAT-Server side implementations. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | BindID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num. of Ports | Lowest Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global IP Address Assigned | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ FREE REQUEST Format Type : to be defined Code : 2 Checksum : 16-bit 1's complement of the 1's complement sum of the entire request. The checksum itself is set to 0 during computation. BindID : BINDID of the ASSIGN REQUEST that this request corresponds to. Num. of Ports : Total number of ports in the block to be freed, when no port translation is used, this field must be zero. Lowest Port : Lowest port number in the block to be freed, when no port translation is used, this field must be zero. Global IP Address Assigned : Global address to be freed 5.4 FREE RESPONSE FREE RESPONSE must be sent by Host-NA(P)T-Server for every valid FREE REQUEST processed. Jeffrey Lo, K.Taniguchi [page 8] Internet Draft Host Network Address (and Port) Translation November 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | BindID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num. of Ports | Lowest Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global IP Address Assigned | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ FREE RESPONSE Format Type : to be defined Code : 3 Checksum : 16-bit 1's complement of the 1's complement sum of the entire request. The checksum itself is set to 0 during computation. BindID : BINDID of the ASSIGN REQUEST that this response corresponds to. Num. of Ports : Total number of ports in the block freed, when no port translation is used, this field must be zero. Lowest Port : Lowest port number in the block freed, when no port translation is used, this field must be zero. Global IP Address Assigned : Global address freed by Host-NA(P)T-Server. 5.5 ERROR RESPONSE ERROR RESPONSE are sent by Host-NA(P)T-Server to Host-NA(P)T-Client in response to any error conditions that my arise. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | BindID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Error Code | Unused | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ERROR RESPONSE Format Type : to be defined Code : 4 Checksum : 16-bit 1's complement of the 1's complement sum of the entire request. The checksum itself is set to 0 during computation. BindID : BINDID of the ASSIGN REQUEST that this response corresponds to. Error Code : Reason for the Error. Vendor specific error codes could be introduced. Jeffrey Lo, K.Taniguchi [page 9] Internet Draft Host Network Address (and Port) Translation November 1998 Error Codes Error 0x01 Bad Request 0x02 BindID Not Found 0x03 Wrong BindID 0x04 Out of Port 0x05 Out of Address 0x06 Unauthorized 0x07 Incorrect Port Range 0x08 Incorrect Address Unused : Must be 0. Bad Request Request format not understood by Host-NA(P)T-Server BindID Not Found BindID in the DBAP message is not found on Host-NA(P)T-Server record. Wrong BindID Bind record on Host-NA(P)T-Server specified by BindID on message does not belong to this Host-NA(P)T-Client. Out of Port This error code is used in response to ASSIGN REQUEST. Host-NAPT-Server is temporary out of unassigned port range Out of Address This error code is used in response to ASSIGN REQUEST. Host-NAT-Server is temporary out of unassigned global address Unauthorized This error code is used in response ASSIGN REQUEST. Host-NA(P)T-Client is not authorized to obtain bindings with this Host-NA(P)T-Server. This error response could be return after checking with a policy module. Incorrect Port Range This error code is used in response to FREE REQUEST. Port range in the FREE REQUEST is not correct for the bind record on Host-NAPT-server. Incorrect Address This error code is used in response to FREE REQUEST. Address contained in the FREE REQUEST is not correct for the bind record on Host-NA(P)T-server. 5.6 END Notification END Notification is sent by Host-NA(P)T-Server for informing Host -NA(P)T-Client of the expiration of a particular bind. Again, Host-NA(P)T-Server must wait for FIN-WAIT interval before releasing the bind. Jeffrey Lo, K.Taniguchi [page 10] Internet Draft Host Network Address (and Port) Translation November 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | BindID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num. of Ports | Lowest Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global IP Address Assigned | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ END Notification Format Type : to be defined Code : 5 Checksum : 16-bit 1's complement of the 1's complement sum of the entire request. The checksum itself is set to 0 during computation. BindID : BINDID of the ASSIGN REQUEST that this notification corresponds to. Num. of Ports : Total number of ports in the block to be ended, when no port translation is used, this field must be zero. Lowest Port : Lowest port number in the block to be ended, when no port translation is used, this field must be zero. Global IP Address Assigned : Global IP address this notification refers to . Host-NA(P)T-Clients are not expected to acknowledge receipt of this notification. After FIN-WAIT interval elapsed, data packets received pertaining to this bind will be responded with an ICMP host unreachable response. 6. Scenarios The scenarios quoted are common examples of how HNAT and DBAP could be exploited in real life. In scenarios pertaining to DNS lookup DNSSEC is assumed to be implemented on all DNS servers. Although the mechanism could be extended to all end-to-end security mechanism, IPsec is used in the examples due to its popularity today. Private routing realms are assumed to have global routing capabilities, that is, addresses from external domains are advertised by the NAT router in the private domain but not the other way round. At least one DNS server within the private realm is responsible in handling queries from external entity and, for simplicity, such DNS servers are assumed to be statically assigned a global address each. Security Association (SA) negotiation using Internet Security Association and Key Exchange Protocol (ISAKMP) in NAT Environment is outside the scope of this document. This issue may be addressed in the work-in-progress Internet Draft [6]. Hence for simplicity, end hosts are assume to have the security association (SA) negotiation completed using ISAKMP and details of ISAKMP negotiation, particularly ISAKMP SA establishment and Internet Key Exchange (IKE), Jeffrey Lo, K.Taniguchi [page 11] Internet Draft Host Network Address (and Port) Translation November 1998 are omitted. These scenarios illustrate address translation without port translation, cases of port translation could be extended without too much effort. 6.1 Outbound Data Session with End-to-End Security (IPSEC) Here we consider the outbound data stream of a session between an External entity X and an internal host A with IP security. IP tunneling is used to route the packet in private realm. 1. First of all, host A request a global address from Host-NAT-Server using DBAP. It sends a DBAP ASSIGN REQUEST with a randomly generated BINDID field and "Lowest Port", "Num. of Port" and "Assigned address" fields filled with 0s. It may optionally include a maximum lease time value. When this DBAP request reaches the Host-NAT-Server, a global address, say U, is pulled from the address pool and assigned to A. The binding timer is started and Host-NAT-Server replies to host A with DBAP ASSIGN RESPONSE with "Lowest Port" and "Num. of Port" fields set to zero, and "Assigned Global Address" field set to U. 2. Host A then computes the cryptographic algorithm using address of X as destination address and this assigned global address U as the source address. Before sending the packet out to the private network, host A encapsulates the packet with an internally addressed IP header and tunnel it to the Host-NAT-Server. 3. When the packet reaches the Host-NAT-Server, it is decapsulated and routed in the external realm to X. 6.2 Inbound DNS Name Lookup Query with DNSSEC In this scenario, we say that an external entity X wishes to perform a name lookup for an internal host A. DNSSEC is applied to all DNS servers. These are the sequence of events. 1. Host X does a DNS query to its local DNS server 2. DNS of X.external.com queries the root DNS server 3. Root DNS server replies with a referral to DNS server of the private network 4. DNS server of X.external.com sends a query to DNS server of private network 5. When the query reaches DNS server of private network, it does a lookup on "A.private.com" and find A's local address, say 10.0.0.1. 6. DNS then obtains a global address for A using DBAP. It sends a DBAP ASSIGN REQUEST with "Lowest Port", "Num. of Port fields" and "Assigned Global Address" fields filled with 0s and a randomly generated BINDID. When this DBAP request reaches the Host-NAT-Server, a global address, say U, is pulled from the address pool and assigned to 10.0.0.1. The bind timer is started and Host-NAT-Server replies to DNS with DBAP ASSIGN RESPONSE with "Lowest Port" and "Num. of Port" fields set to zero, and "Assigned Global Address" field set to U. DNS of private network then encrypt U in DNS response payload and sends it back to DNS of X.external.com. The response traverse the Jeffrey Lo, K.Taniguchi [page 12] Internet Draft Host Network Address (and Port) Translation November 1998 Host-NAT-Server unchanged. No DNS-ALG [3] is required at the NAT. 7. DNS of X.external.com replies Host X with address U assigned to Host A by NAT router. 7. Architectural Enhancement on Host-NAT-Server and Host-NAT-Client To be discussed in later drafts. 8. Impact on Application and Application Level Gateway To be discussed in later drafts. 9. Security Considerations To be discussed in later drafts. 10. Acknowledgement We wish to acknowledge Dr. Takeshi Nishida for his valuable comments that had been very helpful in the writing of this draft. 11. References [1] P. Srisuresh, Matt holdrege, "NAT : Terminology and Considerations" , Work-in-progress [2] P.Srisuresh, K. Egevang, "Traditional IP Network Address Translator" , Work-in-progress [3] P.Srisuresh, G.Tsirtsis, P.Akkiraju, A. Heffernan, "DNS extensions to Network Address Translators (DNS_ALG)" , Work-in-progress [4] M.Borella, David Grabelsky, Ikhlaq Shdhu, Brian Petry, "Distributed Network Address Translation" , Work-in-progress [5] P.Srisuresh, "IP Network Address Translator Application Programming Interface" , Work-in-progress [6] P.Srisuresh "Security for IP Network Address Translator (NAT) Domains" , Work-in-progress Jeffrey Lo, K.Taniguchi [page 13] Internet Draft Host Network Address (and Port) Translation November 1998 12. Authors' Address Jeffrey Lo NEC USA, Inc. 110 Rio Robles San Jose, California 95134 Voice : (408) 943 3033 Fax : (408) 943 3099 Email : jlo@ccrl.sj.nec.com Kunihiro Taniguchi NEC USA, Inc. 110 Rio Robles San Jose, California 95134 Voice : (408) 943 3031 Fax : (408) 943 3099 Email : taniguti@ccrl.sj.nec.com Jeffrey Lo, K.Taniguchi [page 14]