Traversing NATs and NAPTs with UDP-Encapsulated ESP Packets (NDIS 5.1)
Note NDIS 5. x has been deprecated and is superseded by NDIS 6. x. For new NDIS driver development, see Network Drivers Starting with Windows Vista. For information about porting NDIS 5. x drivers to NDIS 6. x, see Porting NDIS 5.x Drivers to NDIS 6.0.
Network address translators (NATs) and network address port translators (NAPTs) convert multiple private network addresses into one routeable IP public address and vice versa, thereby allowing many systems to share a single IP address. In this way, NATs and NAPTs help to alleviate the shortage of routeable IPv4 addresses.
However, NATs and NAPTs can cause problems with Internet Protocol security (IPsec). Because NATs and NAPTs modify the IP header of a packet, they cause AH-protected packets to fail checksum validation. NAPTs, which modify TCP and UDP ports, cannot modify the ports in the encrypted TCP header of an ESP-protected packet.
UDP encapsulation solves this problem. In practice, UDP encapsulation is used only on ESP packets. A NAT or NAPT can modify the unencrypted IP and UDP headers of a UDP-encapsulated ESP packet without breaking ESP authentication and without being stymied by ESP encryption. For a detailed description of the UDP encapsulation of ESP packets, see IPsec over NAT Justification for UDP Encapsulation.
Microsoft supports UDP encapsulation of ESP packets on port 4500. After IKE peers initiate negotiation on port 500, detect support for NAT-traversal, and detect a NAT or NAPT along the path, they can negotiate to "float" IKE and UDP-ESP traffic to port 4500. For more information about this negotiation, see Negotiation of NAT-Traversal in the IKE.
Floating to port 4500 for NAT traversal provides the following benefits:
It bypasses "IPsec-aware" NATs or NAPTs that break UDP-ESP encapsulation on port 500.
It improves performance. The UDP encapsulation of ESP data packets is more efficient on port 4500 than on port 500. For more information, see UDP-ESP Encapsulation Types.
To support UDP-ESP encapsulation, a miniport driver and/or its NIC must:
Be able to process ESP packets in the receive path, as described in Offloading IPsec Tasks in the Receive Path.
Maintain a list of parser entries. A parser entry contains information that the miniport driver's NIC requires to parse incoming UDP-ESP packets on one or more security associations (SAs). For more information about parser entries, see UDP-ESP SAs and Parser Entries.
Maintain a list of SAs that the transport has offloaded to the NIC.
Support the following OIDs: