Unintended Consequences of NAT Deployments with Overlapping Address Space
RFC 5684
Document | Type |
RFC - Informational
(February 2010; No errata)
Was draft-ford-behave-top (gen)
|
|
---|---|---|---|
Authors | Bryan Ford , Pyda Srisuresh | ||
Last updated | 2015-10-14 | ||
Stream | ISE | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | ISE state | (None) | |
Consensus Boilerplate | Unknown | ||
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5684 (Informational) | |
Telechat date | |||
Responsible AD | Magnus Westerlund | ||
Send notices to | rfc-editor@rfc-editor.org |
Independent Submission P. Srisuresh Request for Comments: 5684 EMC Corporation Category: Informational B. Ford ISSN: 2070-1721 Yale University February 2010 Unintended Consequences of NAT Deployments with Overlapping Address Space Abstract This document identifies two deployment scenarios that have arisen from the unconventional network topologies formed using Network Address Translator (NAT) devices. First, the simplicity of administering networks through the combination of NAT and DHCP has increasingly lead to the deployment of multi-level inter-connected private networks involving overlapping private IP address spaces. Second, the proliferation of private networks in enterprises, hotels and conferences, and the wide-spread use of Virtual Private Networks (VPNs) to access an enterprise intranet from remote locations has increasingly lead to overlapping private IP address space between remote and corporate networks. This document does not dismiss these unconventional scenarios as invalid, but recognizes them as real and offers recommendations to help ensure these deployments can function without a meltdown. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5684. Srisuresh & Ford Informational [Page 1] RFC 5684 Complications from NAT Deployments February 2010 Copyright Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction and Scope ..........................................3 2. Terminology and Conventions Used ................................4 3. Multi-Level NAT Network Topologies ..............................4 3.1. Operational Details of the Multi-Level NAT Network .........6 3.1.1. Client/Server Communication .........................7 3.1.2. Peer-to-Peer Communication ..........................7 3.2. Anomalies of the Multi-Level NAT Network ...................8 3.2.1. Plug-and-Play NAT Devices ..........................10 3.2.2. Unconventional Addressing on NAT Devices ...........11 3.2.3. Multi-Level NAT Translations .......................12 3.2.4. Mistaken End Host Identity .........................13 4. Remote Access VPN Network Topologies ...........................14 4.1. Operational Details of the Remote Access VPN Network ......17 4.2. Anomalies of the Remote Access VPNs .......................18 4.2.1. Remote Router and DHCP Server Address Conflict .....18 4.2.2. Simultaneous Connectivity Conflict .................20 4.2.3. VIP Address Conflict ...............................21 4.2.4. Mistaken End Host Identity .........................22 5. Summary of Recommendations .....................................22 6. Security Considerations ........................................24 7. Acknowledgements ...............................................24 8. References .....................................................25 8.1. Normative References ......................................25 8.2. Informative References ....................................25 Srisuresh & Ford Informational [Page 2] RFC 5684 Complications from NAT Deployments February 2010 1. Introduction and Scope The Internet was originally designed to use a single, global 32-bit IP address space to uniquely identify hosts on the network, allowing applications on one host to address and initiate communications with applications on any other host regardless of the respective host's topological locations or administrative domains. For a variety ofShow full document text