[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPsec VPN and NAT - again
I appologise to those not interested on this list for this posting. The
FTP server that we had for such things seems to be down, maybe permanently.
Here is my first cut at cutting together a number of writings into an ID on
IPsec VPNs and NAT. It addresses only simple IPsec tunnels (gateways and
remotes). Advanced IPsec tunnels (chained and/or nested with host
participation) will require more thought.
Please read and comment in general (or detail!). I will get this off
friday morning with whatever changes make sense to the ID address....
Internet Engineering Task Force R. Moskowitz
Internet Draft Chrysler Corporation
Expires in six months August 19, 1997
Network Address Translation issues with IPsec
<draft-ietf-moskowitz-ipsec-vpn-nat-00.doc>
Status of this Memo
This document is an Internet-Draft. Internet Drafts are
working documents of the Internet Engineering Task Force
(IETF), its areas, and its working Groups. Note that other
groups may also distribute working documents as Internet
Drafts.
Internet-Drafts draft documents are valid for a maximum of six
months and may be updated, replaced, or obsolete by other
documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as
"work in progress."
To learn the current status of any Internet-Draft, please
check the "1id-abstracts.txt" listing contained in the
Internet-Drafts Shadow Directories on ftp.is.co.za (Africa),
nic.nordu.net (Europe), munnari.oz.au (Pacific Rim),
ds.internic.net (US East Coast), or ftp.isi.edu (US West
Coast).
Distribution of this memo is unlimited.
Abstract
This document looks at a number of issues surrounding the need
for network address translation (NAT) when IPsec is used to
create virtual private networks (NAT). This document only
looks at simple VPNs. That is VPNs consisting of a single
IPsec tunnel as compared to VPNs consisting of ‘chained’
and/or ‘nested’ IPsec tunnels and/or transports.
R. Moskowitz [Page 1]
�
Internet Draft NAT issues with IPsec August 20, 1997
Table of Contents
1. Introduction..............................................2
1.1 Specification of Requirements..........................2
2. Network classifications...................................3
2.1 Remote systems.........................................3
3. Network to Network VPN scenarios..........................3
3.1 Scenario 1: A -> A.....................................4
3.2 Scenario 2: A -> B.....................................4
3.3 Scenario 3: A -> C.....................................4
3.4 Scenario 4: A -> D.....................................5
3.5 Scenario 5: B -> A.....................................5
3.6 Scenario 6: B -> B.....................................6
3.7 Scenario 7: B -> C.....................................6
3.8 Scenario 8: B -> D.....................................7
3.9 Scenario 9: C -> A.....................................7
3.10 Scenario 10: C -> B...................................8
3.11 Scenario 11: C -> C...................................8
3.12 Scenario 12: C -> D...................................9
3.13 Scenario 13: D -> A...................................9
3.14 Scenario 14: D -> B..................................10
3.15 Scenario 15: D -> C..................................10
3.16 Scenario 16: D -> D..................................11
4. Remote to Network VPN Scenarios..........................12
4.1 Scenario 1: R -> A....................................12
4.2 Scenario 2: R -> B....................................12
4.3 Scenario 3: R -> C....................................13
4.4 Scenario 4: R -> D....................................13
5. Security Considerations..................................14
6. References...............................................14
7. Acknowledgments..........................................14
8. Author's Addresses.......................................15
1. Introduction
This document this document looks into the need of performing
network address translation on IPsec gateways and remote
hosts.
It is assumed that the reader is familiar with the terms and
concepts described in the "Security Architecture for the
Internet Protocol" [Atkinson95] and "IP Encapsulating Security
Payload (ESP)" [Kent97] documents. The reader also needs to
be familiar with private addresses (rfc 1918), and Network
Address Translation.
R. Moskowitz [Page 2]
�
Internet Draft NAT issues with IPsec August 20, 1997
1.1 Specification of Requirements
The keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD
NOT", and "MAY" that appear in this document are to be
interpreted as described in [Bradner97].
2. Network classifications
It is possible to group all networks into 4 classes. There
are:
A) Globally routable addresses (either from NIC or provider)
with default routing to single IPsec gateway.
B) Private addressing (RFC1918) internally, with default
routing to a single IPsec gateway.
C) Globally routable addresses (either from NIC or provider)
without default routing and single gateway, or with
multiple IPsec gateways (multiple gateways break
default routing).
D) Private addressing (RFC1918) internally, without default
routing and single gateway, or with multiple IPsec
gateways.
2.1 Remote systems
Remote systems will present their own issues. A remote system
might be independent of the network it wishes to communicate
with. It might be a ‘road warrior’, or off-site user from the
network. This distinction is important.
3. Network to Network VPN scenarios
The nature of the network types, in terms of addresses, makes
the network to network issues non-symmetric. That is a host
from an B network as the source system to host in a C network
is different from a C host to a B host. Thus all sixteen
combinations need to be examined. In all of the scenarios,
the network on the left is the source network and the one on
the right is the destination.
For brevity purposes, the following abbreviations are used in
this section:
SN Source Network
R. Moskowitz [Page 3]
�
Internet Draft NAT issues with IPsec August 20, 1997
DN Destination Network
AA Alternative Action
C Consideration
3.1 Scenario 1: A -> A
SN Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be the source address.
DN Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
3.2 Scenario 2: A -> B
SN Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be the source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
3.3 Scenario 3: A -> C
SN Policy on what destination addresses use what tunnel
endpoint.
Note that different addresses in a network COULD
terminate at different gateways.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be the source address.
R. Moskowitz [Page 4]
�
Internet Draft NAT issues with IPsec August 20, 1997
DN Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
3.4 Scenario 4: A -> D
SN Policy on what destination addresses use what tunnel
endpoint.
Note that different addresses in a network COULD
terminate at different gateways.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be the source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
3.5 Scenario 5: B -> A
SN Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be real source address.
DN Policy on what source addresses are allowed in.
R. Moskowitz [Page 5]
�
Internet Draft NAT issues with IPsec August 20, 1997
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
3.6 Scenario 6: B -> B
SN Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be real source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
3.7 Scenario 7: B -> C
SN Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be real source address.
DN Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
R. Moskowitz [Page 6]
�
Internet Draft NAT issues with IPsec August 20, 1997
AA The QM ID from the destination network can be used by
the source network as the source address for its
NAT. Then the destination gateway does not need to
do the NAT function.
3.8 Scenario 8: B -> D
SN Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be real source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
3.9 Scenario 9: C -> A
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
R. Moskowitz [Page 7]
�
Internet Draft NAT issues with IPsec August 20, 1997
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
3.10 Scenario 10: C -> B
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
C The destination address from C to B gets mapped twice.
There is no apparent way to get information the
source gateway of the real address in B to simplify
this.
3.11 Scenario 11: C -> C
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
R. Moskowitz [Page 8]
�
Internet Draft NAT issues with IPsec August 20, 1997
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
3.12 Scenario 12: C -> D
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
AA The QM ID from the destination network can be used by
the source network as the source address for its
NAT. Then the destination gateway does not need to
do the NAT function.
3.13 Scenario 13: D -> A
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
R. Moskowitz [Page 9]
�
Internet Draft NAT issues with IPsec August 20, 1997
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
3.14 Scenario 14: D -> B
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
C The destination address from D to B gets mapped twice.
There is no appearent way to get information the
source gateway of the real address in B to simplify
this.
R. Moskowitz [Page 10]
�
Internet Draft NAT issues with IPsec August 20, 1997
3.15 Scenario 15: D -> C
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
AA The QM ID from the destination network can be used by
the source network as the source address for its
NAT. Then the destination gateway does not need to
do the NAT function.
3.16 Scenario 16: D -> D
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Static mapping of internal server address to public
address.
R. Moskowitz [Page 11]
�
Internet Draft NAT issues with IPsec August 20, 1997
Public DNS entry for above public address.
NAT for above mapping.
Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
AA The QM ID from the destination network can be used by
the source network as the source address for its
NAT. Then the destination gateway does not need to
do the NAT function.
4. Remote to Network VPN Scenarios
The remote system, for the most part, can be considered like a
type A network. There are a few caveats, making for some
differences, as there is only one public address available to
the remote system. The road warrior is mentioned as a variant
of the remote system. Thus there are four combinations to
examine.
For brevity purposes, the following abbreviations are used in
this section:
SN Source Network
DN Destination Network
RW Road Warrior
4.1 Scenario 1: R -> A
SN Policy on what destination addresses use what tunnel
endpoint.
Oakley Quick Mode ID MUST be the source address.
DN (Optional) Policy on what source addresses are allowed
in.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
R. Moskowitz [Page 12]
�
Internet Draft NAT issues with IPsec August 20, 1997
4.2 Scenario 2: R -> B
SN Policy on what destination addresses use what tunnel
endpoint.
Oakley Quick Mode ID MUST be the source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
(Optional) Policy on what source addresses are allowed
in.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
RW DNS is the destination network's internal DNS. Thus no
external addresses are needed.
4.3 Scenario 3: R -> C
SN Policy on what destination addresses use what tunnel
endpoint.
Note that different addresses in a network COULD
terminate at different gateways.
Oakley Quick Mode ID MUST be the source address.
DN Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
(Optional) Policy on what source addresses are allowed
in.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
RW DNS is the destination network's internal DNS. The
road warrior can use the address from the
destination network's QM ID as the source address,
thus effecting the address translation.
4.4 Scenario 4: R -> D
SN Policy on what destination addresses use what tunnel
endpoint.
Note that different addresses in a network COULD
terminate at different gateways.
Oakley Quick Mode ID MUST be the source address.
R. Moskowitz [Page 13]
�
Internet Draft NAT issues with IPsec August 20, 1997
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
(Optional) Policy on what source addresses are allowed
in.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
RW DNS is the destination network's internal DNS. Thus no
external addresses are needed. The road warrior
can use the address from the destination network's
QM ID as the source address, thus effecting the
address translation.
5. Security Considerations
Network address translation, in conjunction with IPsec makes
some large assumptions of trust. Intermediate systems are
changing IP addresses on behalf of other systems. This is
done, based on configurations set up, frequently be people in
partnered organizations. There is no apparent way to validate
the validity of these changes. Only when IPsec is used end to
end might any address changes be validated.
6. References
[Atkinson95] Atkinson, R., "Security Architecture for the
Internet Protocol", draft-ietf-ipsec-arch-sec-01
[Bradner97] Bradner, S., "Key words for use in RFCs to
indicate Requirement Levels", RFC2119, March 1997
[Kent97] Kent, S., Atkinson, R., "IP Encapsulating Security
Payload (ESP)", draft-ietf-ipsec-new-esp-01
7. Acknowledgments
This document is based on discussions with Ran Atkinson,
Naganand Doraswamy, Frank Kastenholz, Michael Richardson, and
Rodney Thayer, along with a host of others at the IPsec
workshops hosted by the Automotive Industry Action Group
(AIAG).
R. Moskowitz [Page 14]
�
Internet Draft NAT issues with IPsec August 20, 1997
8. Author's Addresses
Robert Moskowitz
rgm@chrysler.com
Chrysler Corporation
R. Moskowitz [Page 15]
�
Robert Moskowitz
Chrysler Corporation
(810) 758-8212