IPsec-Network Address Translation (NAT) Compatibility Requirements
RFC 3715
Document Type RFC - Informational (March 2004; Errata)
Authors Bernard Aboba  , William Dixon 
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state RFC 3715 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                           B. Aboba
Request for Comments: 3715                                      W. Dixon
Category: Informational                                        Microsoft
                                                              March 2004

   IPsec-Network Address Translation (NAT) Compatibility Requirements

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

   This document describes known incompatibilities between Network
   Address Translation (NAT) and IPsec, and describes the requirements
   for addressing them.  Perhaps the most common use of IPsec is in
   providing virtual private networking capabilities.  One very popular
   use of Virtual Private Networks (VPNs) is to provide telecommuter
   access to the corporate Intranet.  Today, NATs are widely deployed in
   home gateways, as well as in other locations likely to be used by
   telecommuters, such as hotels.  The result is that IPsec-NAT
   incompatibilities have become a major barrier in the deployment of
   IPsec in one of its principal uses.

Aboba & Dixon                Informational                      [Page 1]
RFC 3715          IPsec-NAT Compatibility Requirements        March 2004

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.1.  Requirements Language. . . . . . . . . . . . . . . . . .  2
   2.  Known Incompatibilities between NA(P)T and IPsec . . . . . . .  3
       2.1.  Intrinsic NA(P)T Issues. . . . . . . . . . . . . . . . .  3
       2.2.  NA(P)T Implementation Weaknesses . . . . . . . . . . . .  7
       2.3.  Helper Incompatibilities . . . . . . . . . . . . . . . .  8
   3.  Requirements for IPsec-NAT Compatibility . . . . . . . . . . .  8
   4.  Existing Solutions . . . . . . . . . . . . . . . . . . . . . . 12
       4.1.  IPsec Tunnel Mode. . . . . . . . . . . . . . . . . . . . 12
       4.2.  RSIP . . . . . . . . . . . . . . . . . . . . . . . . . . 13
       4.3.  6to4 . . . . . . . . . . . . . . . . . . . . . . . . . . 13
   5.  Security Considerations. . . . . . . . . . . . . . . . . . . . 14
   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
       6.1.  Normative References . . . . . . . . . . . . . . . . . . 15
       6.2.  Informative References . . . . . . . . . . . . . . . . . 16
   7.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17
   8.  Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 17
   9 . Full Copyright Statement . . . . . . . . . . . . . . . . . . . 18

1.  Introduction

   Perhaps the most common use of IPsec [RFC2401] is in providing
   virtual private networking (VPN) capabilities.  One very popular use
   of VPNs is to provide telecommuter access to the corporate Intranet.
   Today, Network Address Translations (NATs) as described in [RFC3022]
   and [RFC2663], are widely deployed in home gateways, as well as in
   other locations likely to be used by telecommuters, such as hotels.
   The result is that IPsec-NAT incompatibilities have become a major
   barrier in the deployment of IPsec in one of its principal uses.
   This document describes known incompatibilities between NAT and
   IPsec, and describes the requirements for addressing them.

1.1.  Requirements Language

   In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
   "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
   described in [RFC2119].

   Please note that the requirements specified in this document are to
   be used in evaluating protocol submissions.  As such, the
   requirements language refers to capabilities of these protocols; the
   protocol documents will specify whether these features are required,
   recommended, or optional.  For example, requiring that a protocol
   support confidentiality is not the same thing as requiring that all
   protocol traffic be encrypted.

Aboba & Dixon                Informational                      [Page 2]
RFC 3715          IPsec-NAT Compatibility Requirements        March 2004

   A protocol submission is not compliant if it fails to satisfy one or
   more of the MUST or MUST NOT requirements for the capabilities that
   it implements.  A protocol submission that satisfies all the MUST,
   MUST NOT, SHOULD, and SHOULD NOT requirements for its capabilities is
   said to be "unconditionally compliant"; one that satisfies all the
   MUST and MUST NOT requirements, but not all the SHOULD or SHOULD NOT
   requirements for its protocols is said to be "conditionally
   compliant."

2.  Known Incompatibilities between NA(P)T and IPsec

   The incompatibilities between NA(P)T and IPsec can be divided into
   three categories:

   1) Intrinsic NA(P)T issues.  These incompatibilities derive directly
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools