[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPsec VPN and NAT
I appologise to those not interested on this list for this posting. The
FTP server that we had for such things seems to be down, maybe permanently.
Here is my first cut at cutting together a number of writings into an ID on
IPsec VPNs and NAT. It addresses only simple IPsec tunnels (gateways and
remotes). Advanced IPsec tunnels (chained and/or nested with host
participation) will require more thought.
Please read and comment in general (or detail!). I will get this off
friday morning with whatever changes make sense to the ID address....
Internet Engineering Task Force R. Moskowitz
Internet Draft Chrysler Corporation
Expires in six months August 19, 1997
Network Address Translation issues with IPsec
<draft-ietf-moskowitz-ipsec-vpn-nat-00.doc>
Status of this Memo
This document is an Internet-Draft. Internet Drafts are
working documents of the Internet Engineering Task Force
(IETF), its areas, and its working Groups. Note that other
groups may also distribute working documents as Internet
Drafts.
Internet-Drafts draft documents are valid for a maximum of six
months and may be updated, replaced, or obsolete by other
documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as
"work in progress."
To learn the current status of any Internet-Draft, please
check the "1id-abstracts.txt" listing contained in the
Internet-Drafts Shadow Directories on ftp.is.co.za (Africa),
nic.nordu.net (Europe), munnari.oz.au (Pacific Rim),
ds.internic.net (US East Coast), or ftp.isi.edu (US West
Coast).
Distribution of this memo is unlimited.
Abstract
This document looks at a number of issues surrounding the need
for network address translation (NAT) when IPsec is used to
create virtual private networks (NAT). This document only
looks at simple VPNs. That is VPNs consisting of a single
IPsec tunnel as compared to VPNs consisting of ‘chained’
and/or ‘nested’ IPsec tunnels and/or transports.
R. Moskowitz [Page 1]
Internet Draft NAT issues with IPsec August 20, 1997
Table of Contents
1. Introduction..............................................2
1.1 Specification of Requirements..........................3
2. Network classifications...................................3
2.1 Remote systems.........................................3
3. Network to Network VPN scenarios..........................3
3.1 Scenario 1: A -> A.....................................4
3.2 Scenario 2: A -> B.....................................4
3.3 Scenario 3: A -> C.....................................4
3.4 Scenario 4: A -> D.....................................5
3.5 Scenario 5: B -> A.....................................5
3.6 Scenario 6: B -> B.....................................6
3.7 Scenario 7: B -> C.....................................6
3.8 Scenario 8: B -> D.....................................7
3.9 Scenario 9: C -> A.....................................7
3.10 Scenario 10: C -> B...................................8
3.11 Scenario 11: C -> C...................................8
3.12 Scenario 12: C -> D...................................9
3.13 Scenario 13: D -> A...................................9
3.14 Scenario 14: D -> B..................................10
3.15 Scenario 15: D -> C..................................11
3.16 Scenario 16: D -> D..................................11
4. Remote to Network VPN Scenarios..........................12
4.1 Scenario 1: R -> A....................................12
4.2 Scenario 2: R -> B....................................13
4.3 Scenario 3: R -> C....................................13
4.4 Scenario 4: R -> D....................................13
5. Security Considerations..................................14
6. References...............................................14
7. Acknowledgments..........................................14
8. Author's Addresses.......................................15
1. Introduction
This document this document looks into the need of performing
network address translation on IPsec gateways and remote
hosts.
It is assumed that the reader is familiar with the terms and
concepts described in the "Security Architecture for the
Internet Protocol" [Atkinson95] and "IP Encapsulating Security
Payload (ESP)" [Kent97] documents. The reader also needs to
be familiar with private addresses (rfc 1918), and Network
Address Translation.
R. Moskowitz [Page 2]
Internet Draft NAT issues with IPsec August 20, 1997
1.1 Specification of Requirements
The keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD
NOT", and "MAY" that appear in this document are to be
interpreted as described in [Bradner97].
2. Network classifications
It is possible to group all networks into 4 classes. There
are:
A) Globally routable addresses (either from NIC or provider)
with default routing to single IPsec gateway.
B) Private addressing (RFC1918) internally, with default
routing to a single IPsec gateway.
C) Globally routable addresses (either from NIC or provider)
without default routing and single gateway, or with
multiple IPsec gateways (multiple gateways break
default routing).
D) Private addressing (RFC1918) internally, without default
routing and single gateway, or with multiple IPsec
gateways.
2.1 Remote systems
Remote systems will present their own issues. A remote system
might be independent of the network it wishes to communicate
with. It might be a ‘road warrior’, or off-site user from the
network. This distinction is important.
3. Network to Network VPN scenarios
The nature of the network types, in terms of addresses, makes
the network to network issues non-symmetric. That is a host
from an B network as the source system to host in a C network
is different from a C host to a B host. Thus all sixteen
combinations need to be examined. In all of the scenarios,
the network on the left is the source network and the one on
the right is the destination.
For brevity purposes, the following abbreviations are used in
this section:
SN Source Network
R. Moskowitz [Page 3]
Internet Draft NAT issues with IPsec August 20, 1997
DN Destination Network
AA Alternative Action
C Consideration
3.1 Scenario 1: A -> A
SN Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be the source address.
DN Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
3.2 Scenario 2: A -> B
SN Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be the source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
3.3 Scenario 3: A -> C
SN Policy on what destination addresses use what tunnel
endpoint.
Note that different addresses in a network COULD
terminate at different gateways.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be the source address.
R. Moskowitz [Page 4]
Internet Draft NAT issues with IPsec August 20, 1997
DN Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
3.4 Scenario 4: A -> D
SN Policy on what destination addresses use what tunnel
endpoint.
Note that different addresses in a network COULD
terminate at different gateways.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be the source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
3.5 Scenario 5: B -> A
SN Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be real source address.
DN Policy on what source addresses are allowed in.
R. Moskowitz [Page 5]
Internet Draft NAT issues with IPsec August 20, 1997
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
3.6 Scenario 6: B -> B
SN Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be real source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
3.7 Scenario 7: B -> C
SN Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be real source address.
DN Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
R. Moskowitz [Page 6]
Internet Draft NAT issues with IPsec August 20, 1997
AA The QM ID from the destination network can be used by
the source network as the source address for its
NAT. Then the destination gateway does not need to
do the NAT function.
3.8 Scenario 8: B -> D
SN Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be real source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
3.9 Scenario 9: C -> A
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
R. Moskowitz [Page 7]
Robert Moskowitz
Chrysler Corporation
(810) 758-8212
Follow-Ups: