Revert "proto_ipsec: Add IPSec NAT Traversal (NAT-T) support"

This reverts commit 49bc814.

Author: LarryLaffer-dev

modules/proto_ipsec/doc/proto_ipsec_admin.xml

@@ -18,14 +18,6 @@
 		specification (GSMA PRD IR.92) and implements the extensions defined
 		in TS 33.203 (3G Security: Access Security for IP-based Services).
 	</para>
-	<para>
-		The module also supports <emphasis role='bold'>IPSec NAT Traversal (NAT-T)</emphasis>
-		as specified in 3GPP TS 33.203 Annex M and TS 24.229. When NAT-T is enabled,
-		the module can accept and use the <emphasis>mod=UDP-enc-tun</emphasis> mode
-		in Security-Client headers, which encapsulates ESP packets in UDP datagrams
-		(as per RFC 3948) to traverse NAT devices. This feature is optional and can
-		be enabled via the <xref linkend="param_nat_traversal"/> parameter.
-	</para>
 	<para>
 		It allows creation of both UDP and TCP secure connections on the same
 		IP:port pair, defined as sockets. Essentially, when defining a socket
@@ -360,58 +352,6 @@ modparam("proto_ipsec", "disable_deprecated_algorithms", yes)
 		</example>
 	</section>
 
-	<section id="param_nat_traversal" xreflabel="nat_traversal">
-		<title><varname>nat_traversal</varname> (integer)</title>
-		<para>
-			Enables or disables IPSec NAT Traversal (NAT-T) support according to
-			3GPP TS 33.203 Annex M and TS 24.229.
-		</para>
-		<para>
-			When enabled (set to 1), the module will:
-			<itemizedlist>
-			<listitem>
-			<para>
-				Accept <emphasis>mod=UDP-enc-tun</emphasis> in Security-Client headers
-			</para>
-			</listitem>
-			<listitem>
-			<para>
-				Use UDP encapsulation for ESP packets (RFC 3948) when NAT-T mode is negotiated
-			</para>
-			</listitem>
-			<listitem>
-			<para>
-				Use tunnel mode instead of transport mode for IPSec SAs
-			</para>
-			</listitem>
-			<listitem>
-			<para>
-				Include <emphasis>mod=UDP-enc-tun</emphasis> in Security-Server headers
-				when the UE requests NAT-T mode
-			</para>
-			</listitem>
-			</itemizedlist>
-		</para>
-		<para>
-			When disabled (set to 0, default), only <emphasis>mod=trans</emphasis>
-			(standard transport mode) is accepted in Security-Client headers.
-		</para>
-		<para>
-		<emphasis>
-			Default value is 0 (disabled).
-		</emphasis>
-		</para>
-		<example>
-		<title>Set <varname>nat_traversal</varname> parameter</title>
-		<programlisting format="linespecific">
-...
-# Enable NAT Traversal support for UEs behind NAT
-modparam("proto_ipsec", "nat_traversal", 1)
-...
-</programlisting>
-		</example>
-	</section>
-
 	</section>
 
 	<section id="exported_functions" xreflabel="exported_functions">
@@ -514,21 +454,16 @@ onreply_route[ipsec] {
 					<listitem><para><emphasis>port-c</emphasis> - local port
 					chosen for communicating through the client channel.
 					</para></listitem>
-					<listitem><para><emphasis>port-s</emphasis> - local port
+					<listitem><para><emphasis>port-c</emphasis> - local port
 					chosen for communicating through the server channel.
 					</para></listitem>
-					<listitem><para><emphasis>mode</emphasis> - IPSec mode being used:
-					<emphasis>trans</emphasis> for transport mode or
-					<emphasis>UDP-enc-tun</emphasis> for NAT-T tunnel mode
-					(as per 3GPP TS 33.203 Annex M).
-					</para></listitem>
 				</itemizedlist>
 			</para>
 		<example>
 		<title><function>$ipsec(field)</function> usage</title>
 		<programlisting format="linespecific">
 ...
-xlog("Using $ipsec(ip):$ipsec(port-c) and $ipsec(ip):$ipsec(port-s) socket, mode=$ipsec(mode)\n");
+xlog("Using $ipsec(ip):$ipsec(port-c) and $ipsec(ip):$ipsec(port-s) socket\n");
 ...
 </programlisting>
 		</example>
@@ -567,21 +502,16 @@ xlog("Using $ipsec(ip):$ipsec(port-c) and $ipsec(ip):$ipsec(port-s) socket, mode
 					<listitem><para><emphasis>port-c</emphasis> - remote port
 					chosen for communicating through the client channel.
 					</para></listitem>
-					<listitem><para><emphasis>port-s</emphasis> - remote port
+					<listitem><para><emphasis>port-c</emphasis> - remote port
 					chosen for communicating through the server channel.
 					</para></listitem>
-					<listitem><para><emphasis>mode</emphasis> - IPSec mode being used:
-					<emphasis>trans</emphasis> for transport mode or
-					<emphasis>UDP-enc-tun</emphasis> for NAT-T tunnel mode
-					(as per 3GPP TS 33.203 Annex M).
-					</para></listitem>
 				</itemizedlist>
 			</para>
 		<example>
 		<title><function>$ipsec_ue(field)</function> usage</title>
 		<programlisting format="linespecific">
 ...
-xlog("UE $ipsec_ue(ip):$ipsec_ue(port-c) and $ipsec_ue(ip):$ipsec_ue(port-s), mode=$ipsec_ue(mode)\n");
+xlog("Using $ipsec_ue(ip):$ipsec_ue(port-c) and $ipsec_ue(ip):$ipsec_ue(port-s) socket\n");
 ...
 </programlisting>
 		</example>

modules/proto_ipsec/ipsec.c

@@ -392,21 +392,6 @@ struct xfrm_algo_osips {
 static_assert(sizeof(struct xfrm_algo_osips) == sizeof(struct xfrm_algo)
 		+ IPSEC_ALGO_MAX_KEY_SIZE, "ERROR!  Unexpected 'xfrm_algo' size!");
 
-/*
- * NAT-T (NAT Traversal) support according to:
- * - 3GPP TS 33.203 Annex M: IPsec NAT traversal
- * - 3GPP TS 24.229: IP multimedia call control protocol
- * - RFC 3948: UDP Encapsulation of IPsec ESP Packets
- *
- * When NAT-T mode (mod=UDP-enc-tun) is used:
- * - ESP packets are encapsulated in UDP (port 4500 typically)
- * - Tunnel mode is used instead of transport mode
- * - XFRMA_ENCAP attribute is added to the SA
- */
-#ifndef UDP_ENCAP_ESPINUDP
-#define UDP_ENCAP_ESPINUDP 2  /* RFC 3948 */
-#endif
-
 int ipsec_sa_add(struct mnl_socket *sock, struct ipsec_ctx *ctx,
 		enum ipsec_dir dir, int client)
 {
@@ -416,12 +401,10 @@ int ipsec_sa_add(struct mnl_socket *sock, struct ipsec_ctx *ctx,
 	struct xfrm_userpolicy_info *policy_info;
 	struct xfrm_algo_osips ia, ie;
 	struct xfrm_user_tmpl tmpl;
-	struct xfrm_encap_tmpl encap;
 	unsigned short dst_port;
 	unsigned short src_port;
 	unsigned int spi;
 	struct ipsec_endpoint *src, *dst;
-	int xfrm_mode;
 
 	if (dir == IPSEC_POLICY_IN) {
 		src = &ctx->ue;
@@ -527,41 +510,13 @@ int ipsec_sa_add(struct mnl_socket *sock, struct ipsec_ctx *ctx,
 	sa_info->reqid = htonl(spi);
 	sa_info->family = dst->ip.af;
 	sa_info->replay_window = 32;
-
-	/*
-	 * Set mode according to NAT-T configuration:
-	 * - Transport mode (mod=trans): Standard IPsec transport mode
-	 * - Tunnel mode (mod=UDP-enc-tun): NAT-T with UDP encapsulation
-	 *   as per 3GPP TS 33.203 Annex M
-	 */
-	if (ctx->mode == IPSEC_MODE_UDP_ENCAP_TUNNEL) {
-		xfrm_mode = XFRM_MODE_TUNNEL;
-		sa_info->flags |= XFRM_STATE_NOPMTUDISC;
-	} else {
-		xfrm_mode = XFRM_MODE_TRANSPORT;
-	}
-	sa_info->mode = xfrm_mode;
+	sa_info->mode = XFRM_MODE_TRANSPORT;
 
 	mnl_attr_put(nlh, XFRMA_ALG_AUTH,
 			sizeof(struct xfrm_algo) + ia.alg_key_len, &ia);
 	mnl_attr_put(nlh, XFRMA_ALG_CRYPT,
 			sizeof(struct xfrm_algo) + ie.alg_key_len, &ie);
 
-	/*
-	 * NAT-T UDP Encapsulation (3GPP TS 33.203 Annex M, RFC 3948)
-	 * When mod=UDP-enc-tun is negotiated, ESP packets are encapsulated
-	 * in UDP datagrams to traverse NAT devices.
-	 */
-	if (ctx->mode == IPSEC_MODE_UDP_ENCAP_TUNNEL) {
-		memset(&encap, 0, sizeof(encap));
-		encap.encap_type = UDP_ENCAP_ESPINUDP;
-		encap.encap_sport = htons(src_port);
-		encap.encap_dport = htons(dst_port);
-		/* OA (Original Address) - set to zero, kernel fills if needed */
-		mnl_attr_put(nlh, XFRMA_ENCAP, sizeof(encap), &encap);
-		LM_DBG("NAT-T encapsulation: sport=%hu dport=%hu\n", src_port, dst_port);
-	}
-
 	if (mnl_socket_sendto(sock, nlh, nlh->nlmsg_len) < 0) {
 		LM_ERR("communicating with kernel for new SA: %s\n", strerror(errno));
 		goto error;
@@ -605,7 +560,7 @@ int ipsec_sa_add(struct mnl_socket *sock, struct ipsec_ctx *ctx,
 	tmpl.family = dst->ip.af;
 	memcpy(&tmpl.saddr, &src->ip.u, src->ip.len);
 	tmpl.reqid = htonl(spi);
-	tmpl.mode = xfrm_mode;  /* Transport or Tunnel mode based on NAT-T */
+	tmpl.mode = XFRM_MODE_TRANSPORT;
 	tmpl.share = XFRM_SHARE_ANY;
 	tmpl.optional = 0;
 	tmpl.aalgos = 0xffffffff;
@@ -693,7 +648,7 @@ static void ipsec_ctx_free(struct ipsec_ctx *ctx)
 
 struct ipsec_ctx *ipsec_ctx_new(sec_agree_body_t *sa, struct ip_addr *ip,
 		struct socket_info *ss, struct socket_info *sc, str *ck, str *ik,
-		unsigned int spi_pc, unsigned int spi_ps, enum ipsec_mode mode)
+		unsigned int spi_pc, unsigned int spi_ps)
 {
 	struct ipsec_spi *spi_s, *spi_c;
 	struct ipsec_ctx *ctx;
@@ -755,7 +710,6 @@ struct ipsec_ctx *ipsec_ctx_new(sec_agree_body_t *sa, struct ip_addr *ip,
 	ctx->client = sc;
 	ctx->alg = alg;
 	ctx->ealg = ealg;
-	ctx->mode = mode;
 	/* own information - shortcut */
 	memcpy(&ctx->me.ip, &sc->address, sizeof(struct ip_addr));
 	ctx->me.spi_s = spi_s->spi;

modules/proto_ipsec/ipsec.h

@@ -42,23 +42,6 @@ enum ipsec_state {
 	IPSEC_STATE_INVALID,
 };
 
-/*
- * IPSec mode according to 3GPP TS 33.203 Annex H/M:
- * - IPSEC_MODE_TRANSPORT: mod=trans (standard transport mode)
- * - IPSEC_MODE_UDP_ENCAP_TUNNEL: mod=UDP-enc-tun (NAT-T mode with UDP encapsulation)
- */
-enum ipsec_mode {
-	IPSEC_MODE_TRANSPORT = 0,
-	IPSEC_MODE_UDP_ENCAP_TUNNEL,
-};
-
-/* NAT-T encapsulation port (RFC 3948) */
-#define IPSEC_NAT_T_PORT 4500
-
-#define VALID_IPSEC_STATE(_s) \
-	((_s) == IPSEC_STATE_TMP || \
-	 (_s) == IPSEC_STATE_OK)
-
 #define ipsec_socket mnl_socket
 
 #include "../../str.h"
@@ -80,7 +63,6 @@ struct ipsec_ctx {
 	struct ipsec_algorithm_desc *alg, *ealg;
 	struct ipsec_endpoint me;
 	struct ipsec_endpoint ue;
-	enum ipsec_mode mode;  /* transport or UDP-enc-tun (NAT-T) */
 
 	/* dynamic values - should be locked */
 	gen_lock_t lock;
@@ -134,7 +116,7 @@ void ipsec_sa_rm_all(struct ipsec_socket *sock, struct ipsec_ctx *ctx);
 /* ctx */
 struct ipsec_ctx *ipsec_ctx_new(sec_agree_body_t *sa, struct ip_addr *ip,
 		struct socket_info *ss, struct socket_info *sc, str *ck, str *ik,
-		unsigned int spi_pc, unsigned int spi_ps, enum ipsec_mode mode);
+		unsigned int spi_pc, unsigned int spi_ps);
 struct ipsec_ctx *ipsec_ctx_find(struct ipsec_user *user, unsigned short port);
 void ipsec_ctx_push(struct ipsec_ctx *ctx);
 struct ipsec_ctx *ipsec_ctx_get(void);
@@ -144,9 +126,7 @@ void ipsec_ctx_release_tmp_user(struct ipsec_user *user);
 void ipsec_ctx_release_user(struct ipsec_ctx *ctx);
 void ipsec_ctx_release(struct ipsec_ctx *ctx);
 int ipsec_ctx_release_unsafe(struct ipsec_ctx *ctx);
-void ipsec_ctx_add_tmp(struct ipsec_ctx *ctx);
 void ipsec_ctx_remove_tmp(struct ipsec_ctx *ctx);
-void ipsec_ctx_remove_free_tmp(struct ipsec_ctx *ctx, int _free);
 void ipsec_ctx_extend_tmp(struct ipsec_ctx *ctx);
 
 #endif /* _IPSEC_H_ */

modules/proto_ipsec/ipsec_algo.c

@@ -73,39 +73,6 @@
 #define IPSEC_ALGO_MAX_KEY_SIZE IPSEC_ALGO_DES3_KEY_SIZE
 
 int ipsec_disable_deprecated_algorithms = 0;
-/* NAT-T support flag - defined in proto_ipsec.c, declared in ipsec_algo.h */
-
-/*
- * Validate IPSec mode from Security-Client header
- * According to 3GPP TS 33.203 Annex H/M:
- * - "trans": Transport mode (always accepted)
- * - "UDP-enc-tun": UDP-encapsulated tunnel mode (only if NAT-T enabled)
- */
-static int ipsec_validate_mode(str *mod_str)
-{
-	static str trans_str = str_init("trans");
-	static str udp_enc_tun_str = str_init("UDP-enc-tun");
-
-	if (!mod_str || !mod_str->len) {
-		/* No mode specified - default to transport, acceptable */
-		return 0;
-	}
-
-	if (str_casematch(mod_str, &trans_str)) {
-		return 0;  /* Transport mode always accepted */
-	}
-
-	if (str_casematch(mod_str, &udp_enc_tun_str)) {
-		if (ipsec_nat_traversal_enabled) {
-			return 0;  /* NAT-T mode accepted when enabled */
-		}
-		LM_DBG("NAT-T mode (UDP-enc-tun) not accepted - nat_traversal disabled\n");
-		return -1;
-	}
-
-	LM_DBG("unknown IPSec mode: %.*s\n", mod_str->len, mod_str->s);
-	return -1;
-}
 
 static struct ipsec_algorithm_desc ipsec_auth_algorithms[] = {
 	{
@@ -319,12 +286,7 @@ sec_agree_body_t *ipsec_get_security_client(struct sip_msg *msg, struct ipsec_al
 			for (sa = sas; sa; sa = sa->next) {
 				if (sa->invalid || sa->mechanism != SEC_AGREE_MECHANISM_IPSEC_3GPP)
 					continue;
-				/* Validate mode (trans or UDP-enc-tun per 3GPP TS 33.203) */
-				if (ipsec_validate_mode(&sa->ts3gpp.mod_str) < 0) {
-					LM_DBG("unsupported mode %.*s in Security-Client\n",
-							sa->ts3gpp.mod_str.len, sa->ts3gpp.mod_str.s);
-					continue;
-				}
+				/* TODO: should we check mode for now? */
 				if (!sa->ts3gpp.alg_str.len)
 					continue;
 				alg_desc = ipsec_parse_algorithm(&sa->ts3gpp.alg_str, IPSEC_ALGO_TYPE_AUTH);
@@ -372,12 +334,7 @@ sec_agree_body_t *ipsec_get_security_client(struct sip_msg *msg, struct ipsec_al
 				for (sa = sas; sa; sa = sa->next) {
 					if (sa->invalid || sa->mechanism != SEC_AGREE_MECHANISM_IPSEC_3GPP)
 						continue;
-					/* Validate mode (trans or UDP-enc-tun per 3GPP TS 33.203) */
-					if (ipsec_validate_mode(&sa->ts3gpp.mod_str) < 0) {
-						LM_DBG("unsupported mode %.*s in Security-Client\n",
-								sa->ts3gpp.mod_str.len, sa->ts3gpp.mod_str.s);
-						continue;
-					}
+					/* TODO: should we check mode for now? */
 					if (!sa->ts3gpp.alg_str.len)
 						continue;
 					auth = ipsec_parse_algorithm(&sa->ts3gpp.alg_str, IPSEC_ALGO_TYPE_AUTH);

modules/proto_ipsec/ipsec_algo.h

@@ -94,6 +94,5 @@ sec_agree_body_t *ipsec_get_security_client(struct sip_msg *msg, struct ipsec_al
 void ipsec_free_allowed_algorithms(struct ipsec_allowed_algo *algos);
 
 extern int ipsec_disable_deprecated_algorithms;
-extern int ipsec_nat_traversal_enabled;  /* NAT-T support enabled */
 
 #endif /* _IPSEC_ALGO_H_ */