RFC 2709 (rfc2709) - Page 1 of 11
Security Model with Tunnel-mode IPsec for NAT Domains
Alternative Format: Original Text Document
Network Working Group P. Srisuresh
Request for Comments: 2709 Lucent Technologies
Category: Informational October 1999
Security Model with Tunnel-mode IPsec for NAT Domains
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
There are a variety of NAT flavors, as described in [Ref 1]. Of the
domains supported by NATs, only Realm-Specific IP clients are able to
pursue end-to-end IPsec secure sessions. However, all flavors of NAT
are capable of offering tunnel-mode IPsec security to private domain
hosts peering with nodes in external realm. This document describes a
security model by which tunnel-mode IPsec security can be architected
on NAT devices. A section is devoted to describing how security
policies may be transparently communicated to IKE (for automated KEY
exchange) during Quick Mode. Also outlined are applications that can
benefit from the Security Model described.
1. Introduction and Overview
NAT devices provide transparent routing to end hosts trying to
communicate from disparate address realms, by modifying IP and
transport headers en-route. This solution works best when the end
user identifier (such as host name) is different from the address
used to locate end user.
End-to-end application level payload security can be provided for
applications that do not embed realm-specific information in payloads
that is meaningless to one of the end-users. Applications that do
embed realm-specific information in payload will require an
application level gateway (ALG) to make the payload meaningful in
both realms. However, applications that require assistance of an ALG
en-route cannot pursue end-to-end application level security.
Srisuresh Informational
