Classical versus Transparent IP Proxies
RFC 1919

Document Type RFC - Informational (March 1996; No errata)
Was draft-rfced-info-chatel (individual)
Last updated 2013-03-02
Stream Legacy
Formats plain text pdf html bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 1919 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                          M. Chatel
Request for Comments: 1919                                    Consultant
Category: Informational                                       March 1996

                Classical versus Transparent IP Proxies

Status of this Memo

   This memo provides information for the Internet community.  This memo
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.

Abstract

   Many modern IP security systems (also called "firewalls" in the
   trade) make use of proxy technology to achieve access control.  This
   document explains "classical" and "transparent" proxy techniques and
   attempts to provide rules to help determine when each proxy system
   may be used without causing problems.

Table of Contents

   1.  Background . . . . . . . . . . . . . . . . . . . . . . . . . 2
   2.  Direct communication (without a proxy) . . . . . . . . . . . 3
   2.1.  Direct connection example  . . . . . . . . . . . . . . . . 3
   2.2.  Requirements of direct communication . . . . . . . . . . . 5
   3.    Classical application proxies  . . . . . . . . . . . . . . 5
   3.1.  Classical proxy session example  . . . . . . . . . . . . . 6
   3.2.  Characteristics of classical proxy configurations  . . .  12
   3.2.1.  IP addressing and routing requirements . . . . . . . .  12
   3.2.2.  IP address hiding  . . . . . . . . . . . . . . . . . .  14
   3.2.3.  DNS requirements . . . . . . . . . . . . . . . . . . .  14
   3.2.4.  Software requirements  . . . . . . . . . . . . . . . .  15
   3.2.5.  Impact of a classical proxy on packet filtering  . . .  15
   3.2.6.  Interconnection of conflicting IP networks . . . . . .  16
   4.  Transparent application proxies  . . . . . . . . . . . . .  19
   4.1.  Transparent proxy connection example . . . . . . . . . .  20
   4.2.  Characteristics of transparent proxy configurations  . .  26
   4.2.1.  IP addressing and routing requirements . . . . . . . .  26
   4.2.2.  IP address hiding  . . . . . . . . . . . . . . . . . .  28
   4.2.3.  DNS requirements . . . . . . . . . . . . . . . . . . .  28
   4.2.4.  Software requirements  . . . . . . . . . . . . . . . .  29
   4.2.5.  Impact of a transparent proxy on packet filtering  . .  30
   4.2.6.  Interconnection of conflicting IP networks . . . . . .  31
   5.  Comparison chart of classical and transparent proxies  . .  31
   6.  Improving transparent proxies  . . . . . . . . . . . . . .  32
   7.  Security Considerations  . . . . . . . . . . . . . . . . .  34

Chatel                       Informational                      [Page 1]
RFC 1919        Classical versus Transparent IP Proxies       March 1996

   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . .  34
   9.  References . . . . . . . . . . . . . . . . . . . . . . . .  35

1. Background

   An increasing number of organizations use IP security systems to
   provide specific access control when crossing network security
   perimeters. These systems are often deployed at the network boundary
   between two organizations (which may be part of the same "official"
   entity), or between an organization's network and a large public
   internetwork such as the Internet.

   Some people believe that IP firewalls will become commodity products.
   Others believe that the introduction of IPv6 and of its improved
   security capabilities will gradually make firewalls look like stopgap
   solutions, and therefore irrelevant to the computer networking scene.
   In any case, it is currently important to examine the impact of
   inserting (and removing) a firewall at a network boundary, and to
   verify whether specific types of firewall technologies may have
   different effects on typical small and large IP networks.

   Current firewall designs usually rely on packet filtering, proxy
   technology, or a combination of both. Packet filtering (although hard
   to configure correctly in a security sense) is now a well documented
   technology whose strengths and weaknesses are reasonably understood.
   Proxy technology, on the other hand, has been deployed a lot but
   studied little. Furthermore, many recent firewall products support a
   capability called "transparent proxying". This type of feature has
   been subject to much more marketing attention than actual technical
   analysis by the networking community.

   It must be remembered that the Internet's growth and success is
   strongly related to its "open" nature. An Internet which would have
   been segmented from the start with firewalls, packet filters, and
   proxies may not have become what it is today. This type of discussion
   is, however, outside the scope of this document, which just attempts
   to provide an understandable description of what are network proxies,
   and of what are the differences, strengths, and weaknesses of
   "classical" and "transparent" network proxies.  Within the context of
   this document, a "classical" proxy is the older (some would say old-
Show full document text