RFC 2709 (rfc2709) - Page 3 of 11
Security Model with Tunnel-mode IPsec for NAT Domains
Alternative Format: Original Text Document
RFC 2709 Security for NAT Domains October 1999
which the NAT node is a tunnel end point. IPC-NAT function is
essentially an adaptation of NAT extensions to embedded packets of
tunnel-mode IPsec. Packets subject to IPC-NAT processing are
beneficiaries of IPsec security between the NAT device and an
external peer entity, be it a host or a gateway node.
IPsec policies place restrictions on what NAT mappings are used. For
example, IPsec access control security policies to a peer gateway
will likely restrict communication to only certain addresses and/or
port numbers. Thus, when NAT performs translations, it must insure
that the translations it performs are consist with the security
policies.
Just as with Normal-NAT, IPC-NAT function can assume any of NAT
flavors, including Traditional-NAT, Bi-directional-NAT and Twice-NAT.
An IPC-NAT device would support both IPC-NAT and normal-NAT
functions.
3. Security model of IPC-NAT
The IP security architecture document [Ref 2] describes how IP
network level security may be accomplished within a globally unique
address realm. Transport and tunnel mode security are discussed. For
purposes of this document, we will assume IPsec security to mean
tunnel mode IPsec security, unless specified otherwise. Elements
fundamental to this security architecture are (a) Security Policies,
that determine which packets are permitted to be subject to Security
processing, and (b) Security Association Attributes that identify the
parameters for security processing, including IPsec protocols,
algorithms and session keys to be applied.
Operation of tunnel mode IPsec security on a device that does not
support Network Address Translation may be described as below in
figures 1 and 2.
+---------------+ No +---------------------------+
| | +--->|Forward packet in the Clear|
Outgoing |Does the packet| | |Or Drop, as appropriate. |
-------->|match Outbound |-| +---------------------------+
Packet |Security | | +-------------+
|Policies? | |Yes |Perform | Forward
| | +--->|Outbound |--------->
+---------------+ |Security | IPsec Pkt
|(Tunnel Mode)|
+-------------+
Figure 1. Operation of Tunnel-Mode IPsec on outgoing packets.
Srisuresh Informational