RFC 2709 (rfc2709) - Page 2 of 11

Security Model with Tunnel-mode IPsec for NAT Domains

Alternative Format: Original Text Document
< Previous
Next >
RFC 2709                Security for NAT Domains            October 1999


   All applications traversing a NAT device, irrespective of whether
   they require assistance of an ALG or not, can benefit from IPsec
   tunnel-mode security, when NAT device acts as the IPsec tunnel end
   point.

   Section 2 below defines terms specific to this document.

   Section 3 describes how tunnel mode IPsec security can be recognized
   on NAT devices. IPsec Security architecture, format and operation of
   various types of security mechanisms may be found in [Ref 2], [Ref 3]
   and [Ref 4].  This section does not address how session keys and
   policies are exchanged between a NAT device acting as IPsec gateway
   and external peering nodes. The exchange could have taken place
   manually or using any of known automatic exchange techniques.

   Section 4 assumes that Public Key based IKE protocol [Ref 5] may be
   used to automate exchange of security policies, session keys and
   other Security Association (SA) attributes. This section describes a
   method by which security policies administered for a private domain
   may be translated for communicating with external nodes. Detailed
   description of IKE protocol operation may be found in [Ref 5] and
   [Ref 6].

   Section 5 describes applications of the security model described in
   the document. Applications listed include secure external realm
   connectivity for private domain hosts and secure remote access to
   enterprise mobile hosts.

2. Terminology

   Definitions for majority of terms used in this document may be found
   in one of (a) NAT Terminology and Considerations document [Ref 1],
   (b) IP security Architecture document [Ref 2], or (c) Internet Key
   Enchange (IKE) document [Ref 5]. Below are terms defined specifically
   for this document.

2.1. Normal-NAT

   The term "Normal-NAT" is introduced to distinguish normal NAT
   processing from the NAT processing used for secure packets embedded
   within an IPsec secure tunnel. "Normal-NAT" is the normal NAT
   processing as described in [Ref 1].

2.2. IPsec Policy Controlled NAT (IPC-NAT)

   The term "IPsec Policy Controlled NAT" (IPC-NAT, for short) is
   defined to describe the NAT transformation applied as an extension of
   IPsec transformation to packets embedded within an IP-IP tunnel, for



Srisuresh                    Informational
< Previous
Next >