Browse Prior Art Database

IPsec-Network Address Translation (NAT) Compatibility Requirements (RFC3715)

IP.com Disclosure Number: IPCOM000022377D
Original Publication Date: 2004-Mar-01
Included in the Prior Art Database: 2004-Mar-12
Document File: 19 page(s) / 43K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

B. Aboba: AUTHOR [+2]

Abstract

This document describes known incompatibilities between Network Address Translation (NAT) and IPsec, and describes the requirements for addressing them. Perhaps the most common use of IPsec is in providing virtual private networking capabilities. One very popular use of Virtual Private Networks (VPNs) is to provide telecommuter access to the corporate Intranet. Today, NATs are widely deployed in home gateways, as well as in other locations likely to be used by telecommuters, such as hotels. The result is that IPsec-NAT incompatibilities have become a major barrier in the deployment of IPsec in one of its principal uses.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 8% of the total text.

Network Working Group B. Aboba

Request for Comments: 3715 W. Dixon

Category: Informational Microsoft

March 2004

IPsec-Network Address Translation (NAT) Compatibility Requirements

Status of this Memo

This memo provides information for the Internet community. It does

not specify an Internet standard of any kind. Distribution of this

memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2004). All Rights Reserved.

Abstract

This document describes known incompatibilities between Network

Address Translation (NAT) and IPsec, and describes the requirements

for addressing them. Perhaps the most common use of IPsec is in

providing virtual private networking capabilities. One very popular

use of Virtual Private Networks (VPNs) is to provide telecommuter

access to the corporate Intranet. Today, NATs are widely deployed in

home gateways, as well as in other locations likely to be used by

telecommuters, such as hotels. The result is that IPsec-NAT

incompatibilities have become a major barrier in the deployment of

IPsec in one of its principal uses.

Aboba & Dixon Informational [Page 1]

RFC 3715 IPsec-NAT Compatibility Requirements March 2004

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.1. Requirements Language. . . . . . . . . . . . . . . . . . 2

2. Known Incompatibilities between NA(P)T and IPsec . . . . . . . 3

2.1. Intrinsic NA(P)T Issues. . . . . . . . . . . . . . . . . 3

2.2. NA(P)T Implementation Weaknesses . . . . . . . . . . . . 7

2.3. Helper Incompatibilities . . . . . . . . . . . . . . . . 8

3. Requirements for IPsec-NAT Compatibility . . . . . . . . . . . 8

4. Existing Solutions . . . . . . . . . . . . . . . . . . . . . . 12

4.1. IPsec Tunnel Mode. . . . . . . . . . . . . . . . . . . . 12

4.2. RSIP . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4.3. 6to4 . . . . . . . . . . . . . . . . . . . . . . . . . . 13

5. Security Considerations. . . . . . . . . . . . . . . . . . . . 14

6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15

6.1. Normative References . . . . . . . . . . . . . . . . . . 15

6.2. Informative References . . . . . . . . . . . . . . . . . 16

7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17

8. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 17

9 . Full Copyright Statement . . . . . . . . . . . . . . . . . . . 18

1. Introduction

Perhaps the most common use of IPsec [RFC2401] is in providing

virtual private networking (VPN) capabilities. One very popular use

of VPNs is to provide telecommuter access to the corporate Intranet.

Today, Network Address Translations (NATs) as described in [RFC3022]

and [RFC2663], are widely deployed in home gateways, as well as in

other locations likely to be used by telecommuters, such as hotels.

The result is that IPsec-NAT incompatibilities have become a major

barrier in the deployment of IPsec in one of its principal uses.

This document describes known incompatibilities between NAT an...