Internet Engineering Task Force R. Moskowitz
Internet Draft Chrysler Corporation
Expires in six months August 22, 1997
Network Address Translation issues with IPsec
<draft-moskowitz-ipsec-vpn-nat-00.txt>
Status of this Memo
This document is an Internet-Draft. Internet Drafts are
working documents of the Internet Engineering Task Force
(IETF), its areas, and its working Groups. Note that other
groups may also distribute working documents as Internet
Drafts.
Internet-Drafts draft documents are valid for a maximum of six
months and may be updated, replaced, or obsolete by other
documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as
"work in progress."
To learn the current status of any Internet-Draft, please
check the "1id-abstracts.txt" listing contained in the
Internet-Drafts Shadow Directories on ftp.is.co.za (Africa),
nic.nordu.net (Europe), munnari.oz.au (Pacific Rim),
ds.internic.net (US East Coast), or ftp.isi.edu (US West
Coast).
Distribution of this memo is unlimited.
Abstract
This document looks at a number of issues surrounding the need
for network address translation (NAT) when IPsec is used to
create virtual private networks (NAT). This document only
looks at simple VPNs. That is VPNs consisting of a single
IPsec tunnel as compared to VPNs consisting of chained
and/or nested IPsec tunnels and/or transports.
R. Moskowitz [Page 1]
Internet Draft NAT issues with IPsec August 24, 1997
Table of Contents
1. Introduction..............................................2
1.1 Specification of Requirements..........................3
2. Network classifications...................................3
2.1 Remote systems.........................................3
3. Network to Network VPN scenarios..........................3
3.1 Scenario 1: A -> A.....................................4
3.2 Scenario 2: A -> B.....................................4
3.3 Scenario 3: A -> C.....................................5
3.4 Scenario 4: A -> D.....................................5
3.5 Scenario 5: B -> A.....................................6
3.6 Scenario 6: B -> B.....................................6
3.7 Scenario 7: B -> C.....................................6
3.8 Scenario 8: B -> D.....................................7
3.9 Scenario 9: C -> A.....................................8
3.10 Scenario 10: C -> B...................................8
3.11 Scenario 11: C -> C...................................9
3.12 Scenario 12: C -> D...................................9
3.13 Scenario 13: D -> A..................................10
3.14 Scenario 14: D -> B..................................10
3.15 Scenario 15: D -> C..................................11
3.16 Scenario 16: D -> D..................................11
4. Remote to Network VPN Scenarios..........................12
4.1 Scenario 1: R -> A....................................13
4.2 Scenario 2: R -> B....................................13
4.3 Scenario 3: R -> C....................................13
4.4 Scenario 4: R -> D....................................14
5. Security Considerations..................................14
6. References...............................................14
7. Acknowledgments..........................................15
8. Author's Addresses.......................................15
1. Introduction
This document looks into the need of performing network
address translation on IPsec gateways and remote hosts.
It is assumed that the reader is familiar with the terms and
concepts described in the "Security Architecture for the
Internet Protocol" [Atkinson97] and "IP Encapsulating Security
Payload (ESP)" [Kent97] documents. The reader also needs to
be familiar with private addresses (rfc 1918), and Network
Address Translation.
R. Moskowitz [Page 2]
Internet Draft NAT issues with IPsec August 24, 1997
1.1 Specification of Requirements
The keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD
NOT", and "MAY" that appear in this document are to be
interpreted as described in [Bradner97].
2. Network classifications
It is possible to group all networks into 4 classes. There
are:
A) Globally routable addresses (either from NIC or provider)
with default routing to single IPsec gateway.
B) Private addressing (RFC1918) internally, with default
routing to a single IPsec gateway.
C) Globally routable addresses (either from NIC or provider)
without default routing and single gateway, or with
multiple IPsec gateways (multiple gateways break
default routing).
D) Private addressing (RFC1918) internally, without default
routing and single gateway, or with multiple IPsec
gateways.
2.1 Remote systems
Remote systems will present their own issues. A remote system
might be independent of the network it wishes to communicate
with. It might be a road warrior, or off-site user from the
network. This distinction is important.
3. Network to Network VPN scenarios
The nature of the network types, in terms of addresses and DNS
entries, makes the network to network issues non-symmetric.
That is a host from an B network as the source system to host
in a C network is different from a C host to a B host. Thus
all sixteen combinations need to be examined. In all of the
scenarios, the network on the left is the source network and
the one on the right is the destination.
Most networks will have to interact with all of the network
types. Secure Email communications is an example of a service
that will cause this total interaction. Thus, for example, a
R. Moskowitz [Page 3]
Internet Draft NAT issues with IPsec August 24, 1997
type B network needs to be set up to handle destinations of A
through D and be the destination from hosts of those networks.
For brevity purposes, the following abbreviations are used in
this section:
SN Source Network
DN Destination Network
AA Alternative Action
C Consideration
3.1 Scenario 1: A -> A
SN Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be the source address.
DN Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
3.2 Scenario 2: A -> B
SN Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be the source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
R. Moskowitz [Page 4]
Internet Draft NAT issues with IPsec August 24, 1997
3.3 Scenario 3: A -> C
SN Policy on what destination addresses use what tunnel
endpoint.
Note that different addresses in a network COULD
terminate at different gateways.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be the source address.
DN Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
3.4 Scenario 4: A -> D
SN Policy on what destination addresses use what tunnel
endpoint.
Note that different addresses in a network COULD
terminate at different gateways.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be the source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
R. Moskowitz [Page 5]
Internet Draft NAT issues with IPsec August 24, 1997
3.5 Scenario 5: B -> A
SN Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be real source address.
DN Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
3.6 Scenario 6: B -> B
SN Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be real source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
3.7 Scenario 7: B -> C
SN Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
R. Moskowitz [Page 6]
Internet Draft NAT issues with IPsec August 24, 1997
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be real source address.
DN Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
AA The QM ID from the destination network can be used by
the source network as the source address for its
NAT. Then the destination gateway does not need to
do the NAT function.
3.8 Scenario 8: B -> D
SN Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be real source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
R. Moskowitz [Page 7]
Internet Draft NAT issues with IPsec August 24, 1997
3.9 Scenario 9: C -> A
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
3.10 Scenario 10: C -> B
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
C The destination address from C to B gets mapped twice.
There is no apparent way to get information the
source gateway of the real address in B to simplify
this.
R. Moskowitz [Page 8]
Internet Draft NAT issues with IPsec August 24, 1997
3.11 Scenario 11: C -> C
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
3.12 Scenario 12: C -> D
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
R. Moskowitz [Page 9]
Internet Draft NAT issues with IPsec August 24, 1997
AA The QM ID from the destination network can be used by
the source network as the source address for its
NAT. Then the destination gateway does not need to
do the NAT function.
3.13 Scenario 13: D -> A
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
3.14 Scenario 14: D -> B
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
R. Moskowitz [Page 10]
Internet Draft NAT issues with IPsec August 24, 1997
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
C The destination address from D to B gets mapped twice.
There is no appearent way to get information the
source gateway of the real address in B to simplify
this.
3.15 Scenario 15: D -> C
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
DNS mapping of destination address to internal address.
Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
AA The QM ID from the destination network can be used by
the source network as the source address for its
NAT. Then the destination gateway does not need to
do the NAT function.
3.16 Scenario 16: D -> D
SN Pool of internal addresses available for dynamic
address mapping of outbound destination address and
inbound source address
R. Moskowitz [Page 11]
Internet Draft NAT issues with IPsec August 24, 1997
DNS mapping of destination address to internal address.
Pool of external addresses available for dynamic
address mapping of outbound source address and
inbound destination address
Policy on what destination addresses use what tunnel
endpoint.
(Optional) Policy on what source addresses are allowed
to tunnel.
Oakley Quick Mode ID MUST be source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
Policy on what source addresses are allowed in.
(Optional) refinement on what source addresses are
allowed to what host.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
AA The QM ID from the destination network can be used by
the source network as the source address for its
NAT. Then the destination gateway does not need to
do the NAT function.
4. Remote to Network VPN Scenarios
The remote system, for the most part, can be considered like a
type A network. There are a few caveats, making for some
differences, as there is only one public address available to
the remote system. The road warrior is mentioned as a variant
of the remote system. Thus there are four combinations to
examine.
For brevity purposes, the following abbreviations are used in
this section:
SN Source Network
DN Destination Network
RW Road Warrior
R. Moskowitz [Page 12]
Internet Draft NAT issues with IPsec August 24, 1997
4.1 Scenario 1: R -> A
SN Policy on what destination addresses use what tunnel
endpoint.
Oakley Quick Mode ID MUST be the source address.
DN (Optional) Policy on what source addresses are allowed
in.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
4.2 Scenario 2: R -> B
SN Policy on what destination addresses use what tunnel
endpoint.
Oakley Quick Mode ID MUST be the source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
(Optional) Policy on what source addresses are allowed
in.
Oakley Quick Mode ID CAN be the tunnel endpoint
address.
RW DNS is the destination network's internal DNS. Thus no
external addresses are needed.
4.3 Scenario 3: R -> C
SN Policy on what destination addresses use what tunnel
endpoint.
Note that different addresses in a network COULD=20
terminate at different gateways.
Oakley Quick Mode ID MUST be the source address.
DN Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
(Optional) Policy on what source addresses are allowed
in.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
RW DNS is the destination network's internal DNS. The
road warrior can use the address from the
R. Moskowitz [Page 13]
Internet Draft NAT issues with IPsec August 24, 1997
destination network's QM ID as the source address,
thus effecting the address translation.
4.4 Scenario 4: R -> D
SN Policy on what destination addresses use what tunnel
endpoint.
Note that different addresses in a network COULD=20
terminate at different gateways.
Oakley Quick Mode ID MUST be the source address.
DN Static mapping of internal server address to public
address.
Public DNS entry for above public address.
NAT for above mapping.
Pool of internal addresses available for dynamic
address mapping of inbound source address and
outbound destination address
(Optional) Policy on what source addresses are allowed
in.
Oakley Quick Mode ID SHOULD be the internal assigned
address.
RW DNS is the destination network's internal DNS. Thus no
external addresses are needed. The road warrior
can use the address from the destination network's
QM ID as the source address, thus effecting the
address translation.
5. Security Considerations
Network address translation, in conjunction with IPsec makes
some large assumptions of trust. Intermediate systems are
changing IP addresses on behalf of other systems. This is
done, based on configurations set up, frequently be people in
partnered organizations. There is no apparent way to validate
the validity of these changes. Only when IPsec is used end to
end might any address changes be validated.
6. References
[Atkinson97] Kent, S., Atkinson, R., Security Architecture for
the Internet Protocol", draft-ietf-ipsec-arch-sec-01.txt
[Bradner97] Bradner, S., "Key words for use in RFCs to
indicate Requirement Levels", RFC2119, March 1997
R. Moskowitz [Page 14]
Internet Draft NAT issues with IPsec August 24, 1997
[Kent97] Kent, S., Atkinson, R., "IP Encapsulating Security
Payload (ESP)", draft-ietf-ipsec-esp-v2-00.txt
7. Acknowledgments
This document is based on discussions with Ran Atkinson,
Naganand Doraswamy, Frank Kastenholz, Michael Richardson, and
Rodney Thayer, along with a host of others at the IPsec
workshops hosted by the Automotive Industry Action Group
(AIAG).
8. Author's Addresses
Robert Moskowitz
rgm@chrysler.com
Chrysler Corporation
R. Moskowitz [Page 15]