RFC 2709 (rfc2709) - Page 3 of 11

Security Model with Tunnel-mode IPsec for NAT Domains

Alternative Format: Original Text Document
< Previous
Next >
RFC 2709                Security for NAT Domains            October 1999


   which the NAT node is a tunnel end point. IPC-NAT function is
   essentially an adaptation of NAT extensions to embedded packets of
   tunnel-mode IPsec. Packets subject to IPC-NAT processing are
   beneficiaries of IPsec security between the NAT device and an
   external peer entity, be it a host or a gateway node.

   IPsec policies place restrictions on what NAT mappings are used.  For
   example, IPsec access control security policies to a peer gateway
   will likely restrict communication to only certain addresses and/or
   port numbers. Thus, when NAT performs translations, it must insure
   that the translations it performs are consist with the security
   policies.

   Just as with Normal-NAT, IPC-NAT function can assume any of NAT
   flavors, including Traditional-NAT, Bi-directional-NAT and Twice-NAT.
   An IPC-NAT device would support both IPC-NAT and normal-NAT
   functions.

3. Security model of IPC-NAT

   The IP security architecture document [Ref 2] describes how IP
   network level security may be accomplished within a globally unique
   address realm. Transport and tunnel mode security are discussed. For
   purposes of this document, we will assume IPsec security to mean
   tunnel mode IPsec security, unless specified otherwise. Elements
   fundamental to this security architecture are (a) Security Policies,
   that determine which packets are permitted to be subject to Security
   processing, and (b) Security Association Attributes that identify the
   parameters for security processing, including IPsec protocols,
   algorithms and session keys to be applied.

   Operation of tunnel mode IPsec security on a device that does not
   support Network Address Translation may be described as below in
   figures 1 and 2.

            +---------------+  No  +---------------------------+
            |               | +--->|Forward packet in the Clear|
   Outgoing |Does the packet| |    |Or Drop, as appropriate.   |
   -------->|match Outbound |-|    +---------------------------+
   Packet   |Security       | |    +-------------+
            |Policies?      | |Yes |Perform      | Forward
            |               | +--->|Outbound     |--------->
            +---------------+      |Security     | IPsec Pkt
                                   |(Tunnel Mode)|
                                   +-------------+

   Figure 1. Operation of Tunnel-Mode IPsec on outgoing packets.




Srisuresh                    Informational
< Previous
Next >