[Search] [txt|pdf|bibtex] [Tracker] [Email] [Nits]

Versions: 00                                                            
Internet Engineering Task Force                           R. Moskowitz
Internet Draft                                    Chrysler Corporation
Expires in six months                                  August 22, 1997





          Network Address Translation issues with IPsec
           <draft-moskowitz-ipsec-vpn-nat-00.txt>



Status of this Memo

   This document is an Internet-Draft.  Internet Drafts are
   working documents of the Internet Engineering Task Force
   (IETF), its areas, and its working Groups. Note that other
   groups may also distribute working documents as Internet
   Drafts.

   Internet-Drafts draft documents are valid for a maximum of six
   months and may be updated, replaced, or obsolete by other
   documents at any time. It is inappropriate to use Internet-
   Drafts as reference material or to cite them other than as
   "work in progress."

   To learn the current status of any Internet-Draft, please
   check the "1id-abstracts.txt" listing contained in the
   Internet-Drafts Shadow Directories on ftp.is.co.za (Africa),
   nic.nordu.net (Europe), munnari.oz.au (Pacific Rim),
   ds.internic.net (US East Coast), or ftp.isi.edu (US West
   Coast).

   Distribution of this memo is unlimited.

Abstract

   This document looks at a number of issues surrounding the need
   for network address translation (NAT) when IPsec is used to
   create virtual private networks (NAT).  This document only
   looks at simple VPNs.  That is VPNs consisting of a single
   IPsec tunnel as compared to VPNs consisting of chained
   and/or nested IPsec tunnels and/or transports.







R. Moskowitz                                                  [Page 1]


Internet Draft          NAT issues with IPsec         August 24, 1997


Table of Contents

   1. Introduction..............................................2
     1.1 Specification of Requirements..........................3
   2. Network classifications...................................3
     2.1 Remote systems.........................................3
   3. Network to Network VPN scenarios..........................3
     3.1 Scenario 1: A -> A.....................................4
     3.2 Scenario 2: A -> B.....................................4
     3.3 Scenario 3: A -> C.....................................5
     3.4 Scenario 4: A -> D.....................................5
     3.5 Scenario 5: B -> A.....................................6
     3.6 Scenario 6: B -> B.....................................6
     3.7 Scenario 7: B -> C.....................................6
     3.8 Scenario 8: B -> D.....................................7
     3.9 Scenario 9: C -> A.....................................8
     3.10 Scenario 10: C -> B...................................8
     3.11 Scenario 11: C -> C...................................9
     3.12 Scenario 12: C -> D...................................9
     3.13 Scenario 13: D -> A..................................10
     3.14 Scenario 14: D -> B..................................10
     3.15 Scenario 15: D -> C..................................11
     3.16 Scenario 16: D -> D..................................11
   4. Remote to Network VPN Scenarios..........................12
     4.1 Scenario 1: R -> A....................................13
     4.2 Scenario 2: R -> B....................................13
     4.3 Scenario 3: R -> C....................................13
     4.4 Scenario 4: R -> D....................................14
   5. Security Considerations..................................14
   6. References...............................................14
   7. Acknowledgments..........................................15
   8. Author's Addresses.......................................15


1. Introduction

   This document looks into the need of performing network
   address translation on IPsec gateways and remote hosts.

   It is assumed that the reader is familiar with the terms and
   concepts described in the "Security Architecture for the
   Internet Protocol" [Atkinson97] and "IP Encapsulating Security
   Payload (ESP)" [Kent97] documents.  The reader also needs to
   be familiar with private addresses (rfc 1918), and Network
   Address Translation.





R. Moskowitz                                                  [Page 2]


Internet Draft          NAT issues with IPsec         August 24, 1997


1.1 Specification of Requirements

   The keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD
   NOT", and "MAY" that appear in this document are to be
   interpreted as described in [Bradner97].


2. Network classifications

   It is possible to group all networks into 4 classes.  There
   are:

   A)  Globally routable addresses (either from NIC or provider)
          with default routing to single IPsec gateway.

   B)  Private addressing (RFC1918) internally, with default
          routing to a single IPsec gateway.

   C)  Globally routable addresses (either from NIC or provider)
          without default routing and single gateway, or with
          multiple IPsec gateways (multiple gateways break
          default routing).

   D)  Private addressing (RFC1918) internally, without default
          routing and single gateway, or with multiple IPsec
          gateways.


2.1 Remote systems

   Remote systems will present their own issues.  A remote system
   might be independent of the network it wishes to communicate
   with.  It might be a road warrior, or off-site user from the
   network.  This distinction is important.


3. Network to Network VPN scenarios

   The nature of the network types, in terms of addresses and DNS
   entries, makes the network to network issues non-symmetric.
   That is a host from an B network as the source system to host
   in a C network is different from a C host to a B host.  Thus
   all sixteen combinations need to be examined.  In all of the
   scenarios, the network on the left is the source network and
   the one on the right is the destination.

   Most networks will have to interact with all of the network
   types.  Secure Email communications is an example of a service
   that will cause this total interaction.  Thus, for example, a




R. Moskowitz                                                  [Page 3]


Internet Draft          NAT issues with IPsec         August 24, 1997


   type B network needs to be set up to handle destinations of A
   through D and be the destination from hosts of those networks.

   For brevity purposes, the following abbreviations are used in
   this section:

   SN          Source Network
   DN          Destination Network
   AA          Alternative Action
   C           Consideration



3.1 Scenario 1:               A -> A

   SN    Policy on what destination addresses use what tunnel
             endpoint.
          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be the source address.

   DN    Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID CAN be the tunnel endpoint
             address.



3.2 Scenario 2:               A -> B

   SN    Policy on what destination addresses use what tunnel
             endpoint.
          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be the source address.

   DN    Static mapping of internal server address to public
             address.
          Public DNS entry for above public address.
          NAT for above mapping.
          Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID CAN be the tunnel endpoint
             address.





R. Moskowitz                                                  [Page 4]


Internet Draft          NAT issues with IPsec         August 24, 1997


3.3 Scenario 3:               A -> C

   SN    Policy on what destination addresses use what tunnel
             endpoint.
             Note that different addresses in a network COULD
             terminate at different gateways.
          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be the source address.

   DN    Pool of internal addresses available for dynamic
             address mapping of inbound source address and
             outbound destination address
          Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID SHOULD be the internal assigned
             address.



3.4 Scenario 4:               A -> D

   SN    Policy on what destination addresses use what tunnel
             endpoint.
             Note that different addresses in a network COULD
             terminate at different gateways.
          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be the source address.

   DN    Static mapping of internal server address to public
             address.
          Public DNS entry for above public address.
          NAT for above mapping.
          Pool of internal addresses available for dynamic
             address mapping of inbound source address and
             outbound destination address
          Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID SHOULD be the internal assigned
             address.








R. Moskowitz                                                  [Page 5]


Internet Draft          NAT issues with IPsec         August 24, 1997


3.5 Scenario 5:               B -> A

   SN    Pool of external addresses available for dynamic
             address mapping of outbound source address and
             inbound destination address
          Policy on what destination addresses use what tunnel
             endpoint.
          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be real source address.

   DN    Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID CAN be the tunnel endpoint
             address.



3.6 Scenario 6:               B -> B

   SN    Pool of external addresses available for dynamic
             address mapping of outbound source address and
             inbound destination address
          Policy on what destination addresses use what tunnel
             endpoint.
          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be real source address.

   DN    Static mapping of internal server address to public
             address.
          Public DNS entry for above public address.
          NAT for above mapping.
          Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID CAN be the tunnel endpoint
             address.



3.7 Scenario 7:               B -> C

   SN    Pool of external addresses available for dynamic
             address mapping of outbound source address and
             inbound destination address
          Policy on what destination addresses use what tunnel
             endpoint.



R. Moskowitz                                                  [Page 6]


Internet Draft          NAT issues with IPsec         August 24, 1997


          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be real source address.

   DN    Pool of internal addresses available for dynamic
             address mapping of inbound source address and
             outbound destination address
          Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID SHOULD be the internal assigned
             address.

   AA    The QM ID from the destination network can be used by
             the source network as the source address for its
             NAT.  Then the destination gateway does not need to
             do the NAT function.



3.8 Scenario 8:               B -> D

   SN    Pool of external addresses available for dynamic
             address mapping of outbound source address and
             inbound destination address
          Policy on what destination addresses use what tunnel
             endpoint.
          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be real source address.

   DN    Static mapping of internal server address to public
             address.
          Public DNS entry for above public address.
          NAT for above mapping.
          Pool of internal addresses available for dynamic
             address mapping of inbound source address and
             outbound destination address
          Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID SHOULD be the internal assigned
             address.







R. Moskowitz                                                  [Page 7]


Internet Draft          NAT issues with IPsec         August 24, 1997


3.9 Scenario 9:               C -> A

   SN    Pool of internal addresses available for dynamic
             address mapping of outbound destination address and
             inbound source address
          DNS mapping of destination address to internal address.
          Policy on what destination addresses use what tunnel
             endpoint.
          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be source address.

   DN    Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID CAN be the tunnel endpoint
             address.



3.10 Scenario 10:             C -> B

   SN    Pool of internal addresses available for dynamic
             address mapping of outbound destination address and
             inbound source address
          DNS mapping of destination address to internal address.
          Policy on what destination addresses use what tunnel
             endpoint.
          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be source address.

   DN    Static mapping of internal server address to public
             address.
          Public DNS entry for above public address.
          NAT for above mapping.
          Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID CAN be the tunnel endpoint
             address.

   C     The destination address from C to B gets mapped twice.
             There is no apparent way to get information the
             source gateway of the real address in B to simplify
             this.





R. Moskowitz                                                  [Page 8]


Internet Draft          NAT issues with IPsec         August 24, 1997


3.11 Scenario 11:             C -> C

   SN    Pool of internal addresses available for dynamic
             address mapping of outbound destination address and
             inbound source address
          DNS mapping of destination address to internal address.
          Policy on what destination addresses use what tunnel
             endpoint.
          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be source address.

   DN    Pool of internal addresses available for dynamic
             address mapping of inbound source address and
             outbound destination address
          Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID SHOULD be the internal assigned
             address.



3.12 Scenario 12:             C -> D

   SN    Pool of internal addresses available for dynamic
             address mapping of outbound destination address and
             inbound source address
          DNS mapping of destination address to internal address.
          Policy on what destination addresses use what tunnel
             endpoint.
          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be source address.

   DN    Static mapping of internal server address to public
             address.
          Public DNS entry for above public address.
          NAT for above mapping.
          Pool of internal addresses available for dynamic
             address mapping of inbound source address and
             outbound destination address
          Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID SHOULD be the internal assigned
             address.




R. Moskowitz                                                  [Page 9]


Internet Draft          NAT issues with IPsec         August 24, 1997


   AA    The QM ID from the destination network can be used by
             the source network as the source address for its
             NAT.  Then the destination gateway does not need to
             do the NAT function.



3.13 Scenario 13:             D -> A

   SN    Pool of internal addresses available for dynamic
             address mapping of outbound destination address and
             inbound source address
          DNS mapping of destination address to internal address.
          Pool of external addresses available for dynamic
             address mapping of outbound source address and
             inbound destination address
          Policy on what destination addresses use what tunnel
             endpoint.
          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be source address.

   DN    Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID CAN be the tunnel endpoint
             address.



3.14 Scenario 14:             D -> B

   SN    Pool of internal addresses available for dynamic
             address mapping of outbound destination address and
             inbound source address
          DNS mapping of destination address to internal address.
          Pool of external addresses available for dynamic
             address mapping of outbound source address and
             inbound destination address
          Policy on what destination addresses use what tunnel
             endpoint.
          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be source address.

   DN    Static mapping of internal server address to public
             address.
          Public DNS entry for above public address.
          NAT for above mapping.


R. Moskowitz                                                 [Page 10]


Internet Draft          NAT issues with IPsec         August 24, 1997


          Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID CAN be the tunnel endpoint
             address.

   C     The destination address from D to B gets mapped twice.
             There is no appearent way to get information the
             source gateway of the real address in B to simplify
             this.



3.15 Scenario 15:             D -> C

   SN    Pool of internal addresses available for dynamic
             address mapping of outbound destination address and
             inbound source address
          DNS mapping of destination address to internal address.
          Pool of external addresses available for dynamic
             address mapping of outbound source address and
             inbound destination address
          Policy on what destination addresses use what tunnel
             endpoint.
          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be source address.

   DN    Pool of internal addresses available for dynamic
             address mapping of inbound source address and
             outbound destination address
          Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID SHOULD be the internal assigned
             address.

   AA    The QM ID from the destination network can be used by
             the source network as the source address for its
             NAT.  Then the destination gateway does not need to
             do the NAT function.



3.16 Scenario 16:             D -> D

   SN    Pool of internal addresses available for dynamic
             address mapping of outbound destination address and
             inbound source address


R. Moskowitz                                                 [Page 11]


Internet Draft          NAT issues with IPsec         August 24, 1997


          DNS mapping of destination address to internal address.
          Pool of external addresses available for dynamic
             address mapping of outbound source address and
             inbound destination address
          Policy on what destination addresses use what tunnel
             endpoint.
          (Optional) Policy on what source addresses are allowed
             to tunnel.
          Oakley Quick Mode ID MUST be source address.

   DN    Static mapping of internal server address to public
             address.
          Public DNS entry for above public address.
          NAT for above mapping.
          Pool of internal addresses available for dynamic
             address mapping of inbound source address and
             outbound destination address
          Policy on what source addresses are allowed in.
          (Optional) refinement on what source addresses are
             allowed to what host.
          Oakley Quick Mode ID SHOULD be the internal assigned
             address.

   AA    The QM ID from the destination network can be used by
             the source network as the source address for its
             NAT.  Then the destination gateway does not need to
             do the NAT function.




4. Remote to Network VPN Scenarios

   The remote system, for the most part, can be considered like a
   type A network.  There are a few caveats, making for some
   differences, as there is only one public address available to
   the remote system. The road warrior is mentioned as a variant
   of the remote system.  Thus there are four combinations to
   examine.

   For brevity purposes, the following abbreviations are used in
   this section:

   SN          Source Network
   DN          Destination Network
   RW          Road Warrior




R. Moskowitz                                                 [Page 12]


Internet Draft          NAT issues with IPsec         August 24, 1997


4.1 Scenario 1:               R -> A

   SN    Policy on what destination addresses use what tunnel
             endpoint.
          Oakley Quick Mode ID MUST be the source address.

   DN    (Optional) Policy on what source addresses are allowed
             in.
          Oakley Quick Mode ID CAN be the tunnel endpoint
             address.


4.2 Scenario 2:               R -> B

   SN    Policy on what destination addresses use what tunnel
             endpoint.
          Oakley Quick Mode ID MUST be the source address.

   DN    Static mapping of internal server address to public
             address.
          Public DNS entry for above public address.
          NAT for above mapping.
          (Optional) Policy on what source addresses are allowed
             in.
          Oakley Quick Mode ID CAN be the tunnel endpoint
             address.

   RW     DNS is the destination network's internal DNS.  Thus no
             external addresses are needed.


4.3 Scenario 3:               R -> C

   SN    Policy on what destination addresses use what tunnel
             endpoint.
             Note that different addresses in a network COULD=20
               terminate at different gateways.
          Oakley Quick Mode ID MUST be the source address.

   DN    Pool of internal addresses available for dynamic
             address mapping of inbound source address and
             outbound destination address
          (Optional) Policy on what source addresses are allowed
             in.
          Oakley Quick Mode ID SHOULD be the internal assigned
             address.

   RW     DNS is the destination network's internal DNS.  The
             road warrior can use the address from the



R. Moskowitz                                                 [Page 13]


Internet Draft          NAT issues with IPsec         August 24, 1997


             destination network's QM ID as the source address,
             thus effecting the address translation.


4.4 Scenario 4:               R -> D

   SN    Policy on what destination addresses use what tunnel
             endpoint.
             Note that different addresses in a network COULD=20
               terminate at different gateways.
          Oakley Quick Mode ID MUST be the source address.

   DN    Static mapping of internal server address to public
             address.
          Public DNS entry for above public address.
          NAT for above mapping.
          Pool of internal addresses available for dynamic
             address mapping of inbound source address and
             outbound destination address
          (Optional) Policy on what source addresses are allowed
             in.
          Oakley Quick Mode ID SHOULD be the internal assigned
             address.

   RW    DNS is the destination network's internal DNS.  Thus no
             external addresses are needed.  The road warrior
             can use the address from the destination network's
             QM ID as the source address, thus effecting the
             address translation.



5. Security Considerations

   Network address translation, in conjunction with IPsec makes
   some large assumptions of trust.  Intermediate systems are
   changing IP addresses on behalf of other systems.  This is
   done, based on configurations set up, frequently be people in
   partnered organizations.  There is no apparent way to validate
   the validity of these changes.  Only when IPsec is used end to
   end might any address changes be validated.


6. References

   [Atkinson97] Kent, S., Atkinson, R., Security Architecture for
   the Internet Protocol", draft-ietf-ipsec-arch-sec-01.txt

   [Bradner97] Bradner, S., "Key words for use in RFCs to
   indicate Requirement Levels", RFC2119, March 1997


R. Moskowitz                                                 [Page 14]


Internet Draft          NAT issues with IPsec         August 24, 1997



   [Kent97] Kent, S., Atkinson, R., "IP Encapsulating Security
   Payload (ESP)", draft-ietf-ipsec-esp-v2-00.txt


7. Acknowledgments

   This document is based on discussions with Ran Atkinson,
   Naganand Doraswamy, Frank Kastenholz, Michael Richardson, and
   Rodney Thayer, along with a host of others at the IPsec
   workshops hosted by the Automotive Industry Action Group
   (AIAG).



8. Author's Addresses

     Robert Moskowitz
     rgm@chrysler.com
     Chrysler Corporation































R. Moskowitz                                                 [Page 15]