NAT-Traversal for IPsec Key Management Developers

The Solaris 10 5/09 release contains a public API for User Datagram Protocol (UDP) sockets that act as IPsec Network Address Translator (NAT) Traversal endpoints.

The UDP_NAT_T_ENDPOINT socket option, when enabled, has UDP traffic prefixed with a zero security parameters index (SPI) value of four bytes on outbound traffic and strips zero SPIs on inbound traffic. Inbound traffic bound for such a socket with a nonzero SPI is automatically transferred to IPsec's Encapsulating Security Payload (ESP) for ESP-in-UDP decapsulation. ESP-in-UDP encapsulation is determined by a property in the IPsec Security Association (SA).

This feature enables IPsec key management software developers to create key management protocols that can transit NAT devices. The Solaris IKE daemon in iked(1M) uses this facility and such sockets are displayed using the pfiles(1M) command.

Previous: System Administration Enhancements
Next: Stronger Algorithms for IPsec