Independent Submission P. Srisuresh
Request for Comments: 5684 EMC Corporation
Category: Informational B. Ford
ISSN: 2070-1721 Yale University
February 2010
Unintended Consequences of NAT Deployments
with Overlapping Address Space
Abstract
This document identifies two deployment scenarios that have arisen
from the unconventional network topologies formed using Network
Address Translator (NAT) devices. First, the simplicity of
administering networks through the combination of NAT and DHCP has
increasingly lead to the deployment of multi-level inter-connected
private networks involving overlapping private IP address spaces.
Second, the proliferation of private networks in enterprises, hotels
and conferences, and the wide-spread use of Virtual Private Networks
(VPNs) to access an enterprise intranet from remote locations has
increasingly lead to overlapping private IP address space between
remote and corporate networks. This document does not dismiss these
unconventional scenarios as invalid, but recognizes them as real and
offers recommendations to help ensure these deployments can
function without a meltdown.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any
other RFC stream. The RFC Editor has chosen to publish this
document at its discretion and makes no statement about its value
for implementation or deployment. Documents approved for
publication by the RFC Editor are not a candidate for any level of
Internet Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc5684.
Srisuresh & Ford Informational [Page 1]
RFC 5684 Complications from NAT Deployments February 2010
Copyright
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http:trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction and Scope ..........................................3
2. Terminology and Conventions Used ................................4
3. Multi-Level NAT Network Topologies ..............................4
3.1. Operational Details of the Multi-Level NAT Network .........6
3.1.1. Client/Server Communication .........................7
3.1.2. Peer-to-Peer Communication ..........................7
3.2. Anomalies of the Multi-Level NAT Network ...................8
3.2.1. Plug-and-Play NAT Devices ..........................10
3.2.2. Unconventional Addressing on NAT Devices ...........11
3.2.3. Multi-Level NAT Translations .......................12
3.2.4. Mistaken End Host Identity .........................13
4. Remote Access VPN Network Topologies ...........................14
4.1. Operational Details of the Remote Access VPN Network ......17
4.2. Anomalies of the Remote Access VPNs .......................18
4.2.1. Remote Router and DHCP Server Address Conflict .....18
4.2.2. Simultaneous Connectivity Conflict .................20
4.2.3. VIP Address Conflict ...............................21
4.2.4. Mistaken End Host Identity .........................22
5. Summary of Recommendations .....................................22
6. Security Considerations ........................................24
7. Acknowledgements ...............................................24
8. References .....................................................25
8.1. Normative References ......................................25
8.2. Informative References ....................................25
Srisuresh & Ford Informational [Page 2]
RFC 5684 Complications from NAT Deployments February 2010
1. Introduction and Scope
The Internet was originally designed to use a single, global 32-bit
IP address space to uniquely identify hosts on the network, allowing
datatracker.ietf.org