Abstract
This paper examines the use of NAT with IPsec as a transparent security mechanism. It discusses the security needs and solutions that define how to combine IPsec and NAT. Because of the inherent limitations of current proposed solutions, this paper proposes an end-to-end security architecture using IPsec in the NAT/DHCP environment with a formal validation to the proposed architecture using an automatic protocol analyser called Hermes. This paper is builds upon works previously published.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aboda, B., Dixon, W.: IPsec-Network Address Translation (NAT) Compatibility Requirements, IETF, RFC 3715 (2004)
Berners-Lee, T., Fielding, R., Masinter, L.: Uniform Resource Identifiers (URI): Generic Syntax, IETF, RFC 3986 (2005)
Borella, M., Lo., J., Grabelsky, D., Montenegro, G.: Realm Specific IP: Framework, IETF, RFC 3102 (2001)
Borella, M., Lo., J., Grabelsky, D., Taniguchi, K.: Realm Specific IP: Protocol Specification, IETF, RFC 3103 (2001)
Carpenter, B., Moore, K.: Connection of IPv6 Domains via IPv4 Clouds, IETF, RFC 3056 (2001)
Demerjian, J., Serhrouchni, A., Achemlal, M.: E-DHCP: Extended Dynamic Host Configuration Protocol, IETF, Internet Draft (2004)
Demerjian, J., Serhrouchni, A., Achemlal, M.: Certificate-based Access Control and Authentication for DHCP. In: ACM/IEEE ICETE 2004. International Conference on E-Business and Telecommunication Networks. ICETE Conference, Setúbal, Portugal (2004)
Demerjian, J., Serhrouchni, A.: DHCP authentication using certificates. In: SEC 2004, 19th IFIP International Information Security Conference. SEC Conference, Toulouse, France (2004)
Droms, R.: Dynamic Host Configuration Protocol, IETF, RFC 2131 (1997)
Droms, R., Alexander, S.: DHCP Options and BOOTP Vendor Extensions, IETF, RFC 2132 (1997)
Droms, R.: Procedure for Defining New DHCP Options, IETF, RFC 2489 (1999)
Farrell, S., Housley, R.: An Internet Attribute Certificate Profile for Authorization, IETF, RFC 3281 (2002)
Hajjeh, I., Serhrouchni, A., Tastet, F.: New Key Management Protocol for SSL/TLS. In: IEEE-IFIP NETCOM 2003. Network Control and Engineering for QoS, Security and Mobility. NETCOM Conference, Muscat, Oman (2003)
Harkins, D., Carrel, D.: The Internet Key Exchange (IKE), IETF, RFC 2409 (1998)
Housley, R., Polk, W., Ford, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, IETF, RFC 3280 (2002)
Huttunen, et al.: UDP Encapsulation of IPsec ESP Packets, IETF, RFC 3948 (2005)
Jonsson, J., Kaliski, B.: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1, IETF, RFC 3447 (2003)
Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol, IETF, RFC 2401 (1998a)
Kent, S.: Atkinson. R.: IP Authentication Header (AH), IETF, RFC 2402 (1998)
Kent, S., Atkinson, R.: IP Encapsulating Security Payload (ESP), IETF, RFC 2406 (1998)
Kivinen, T., Swander, B., Huttunen, A., Volpe, V.: Negotiation of NAT-Traversal in the IKE, IETF, RFC 3947 (2005)
Maughan, D., Schertler, M., Schneider, M., Turner, J.: Internet Security Association and Key Management Protocol (ISAKMP), IETF, RFC 2408 (1998)
Montenegro, G., Borella, M.: RSIP Support for End-to-end IPsec, IETF, RFC 3104 (2001)
Phifer, L.: IP Security and NAT: Oil and Water?, ISP-Planet (2000)
Postel, J.: User Datagram Protocol, IETF, RFC 768 (1980)
Postel, J.: Transmission Control Protocol, IETF, RFC 793 (1981)
Postel, J.: INTERNET PROTOCOL, IETF, RFC 791 (1981)
Srisureh, P.: Security Model with Tunnel-mode IPsec for NAT Domains. IETF, RFC 2709 (1999)
Srisureh, P., Holdrege, M.: IP Network Address Translator (NAT) Terminology and Considerations, IETF, RFC 2663 (1999)
Srisureh, P., Egevang, K.: Traditional IP Network Address Translator (traditional NAT), IETF, RFC 3022 (2001)
Sun Microsystems: System Administration Guide: IP Services [Electronic version], Part No: 816-4554-10 (2005), Retrieved from docs.sun.com, Web site http://docs.sun.com/app/docs/doc/816-4554/6maoq020v?a=view
Demerjian, J., Hajjeh, I., Serhrouchni, A., Badra, M.: Network security using E-DHCP over NAT/IPsec. In: WTAS 2005. International Conference on Web Technologies, Applications and Services. IASTED Conference, Alberta, Canada (2005)
Bozga, L., Lakhnech, Y., Périn, M.: Hermes: A tool verifying secrecy properties of unbounded security protocols. In: Hunt Jr., W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 219–222. Springer, Heidelberg (2003)
Herme’s tool, http://www-verimag.imag.fr/~Liana.Bozga/eva/hermes.php
French National Projet EVA (Explication et Vérification Automatique pour les Protocoles Cryptographiques), url: http://www-eva.imag.fr
Le Metayer, D., Jacquemard, F.: Langage de spécification de protocoles cryptographiques de EVA: syntaxe concrète. Technical Report EVA-1-v3.17, Trusted Logic (November 2001), Available from http://www-eva.imag.fr
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Demerjian, J., Hajjeh, I., Badra, M., Ferraz, S. (2005). A Secure Way to Combine IPsec, NAT & DHCP. In: Gorodetsky, V., Kotenko, I., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2005. Lecture Notes in Computer Science, vol 3685. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11560326_8
Download citation
DOI: https://doi.org/10.1007/11560326_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-29113-8
Online ISBN: 978-3-540-31998-6
eBook Packages: Computer ScienceComputer Science (R0)