IEEE Std 2030.102.1-2020 pdf free download

IEEE Std 2030.102.1-2020 pdf free download.IEEE Standard for Interoperability of Internet Protocol Security (IPsec) Utilized within Utility Control Systems.
NAT traversal and IPsec
The information contained within this annex outlines the challenges when an IPsec tunnel traverses a device implementing Network Address Translation (NAT) and one possible resolution. It is informative and, therefore, not required to be compliant to this standard; however, it may influence additional requirements by users of devices implementing IPsec.
B.1 Problem statement
The basic challenge encountered when NAT is introduced between the endpoints of an IPsec tunnel is that it changes information in the packet headers, which may lead to three significant problems, as follows:
– Address Mismawh: NAT changes the IP address of the internal device to that of an address assigned by the NAT device. The internet Key Exchange (IKE) protocol utilized within IPsec embeds the sender’s IP address within the payload. Because of this. a NAT device causes a mismatch between this embcddcd address and the source address of the IKE packet (which has been replaced with the address of the NAT device). When these addresses do not match, the receiving device drops the packet.
— Checkcums: Checksums utilized for packet verification create a problem because the checksum included in the TCP header is computed using the IP addresses of the sending and receiving devices. Checksums do not present a problem with normal NAT communications because the NAT device modifies the headers by inserting a new iP address and port in place of the sending device’s iP address and port. With IPsec. however, the TCP header is encrypted using the Encapsulating Security Payload (ESP) protocol. When ESP encrypts the TCP hcader, a NAT device cannot change it, resulting in an invalid checksum and the receiving device rejecting the packet.
Pori Address Translation (PAT,): PAT is used to provide internal devices with access to an external network using the same external IP address, which is common with internet facing devices, due to lack of available external IP addresses. Because the ESP protocol does not involve ports, a unique port cannot be assigned to the packet when the original source address is changed to the external address in the binding database. In this case. ESP cannot pass through the PAT device because the database binding cannot complete without the unique port assigned. IEEE Std 2030.102.1-2020 pdf free download.