RFC 2709 (rfc2709) - Page 1 of 11


Security Model with Tunnel-mode IPsec for NAT Domains



Alternative Format: Original Text Document



Network Working Group                                       P. Srisuresh
Request for Comments: 2709                           Lucent Technologies
Category: Informational                                     October 1999


         Security Model with Tunnel-mode IPsec for NAT Domains

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

Abstract

   There are a variety of NAT flavors, as described in [Ref 1]. Of the
   domains supported by NATs, only Realm-Specific IP clients are able to
   pursue end-to-end IPsec secure sessions. However, all flavors of NAT
   are capable of offering tunnel-mode IPsec security to private domain
   hosts peering with nodes in external realm. This document describes a
   security model by which tunnel-mode IPsec security can be architected
   on NAT devices. A section is devoted to describing how security
   policies may be transparently communicated to IKE (for automated KEY
   exchange) during Quick Mode. Also outlined are applications that can
   benefit from the Security Model described.

1. Introduction and Overview

   NAT devices provide transparent routing to end hosts trying to
   communicate from disparate address realms, by modifying IP and
   transport headers en-route. This solution works best when the end
   user identifier (such as host name) is different from the address
   used to locate end user.

   End-to-end application level payload security can be provided for
   applications that do not embed realm-specific information in payloads
   that is meaningless to one of the end-users. Applications that do
   embed realm-specific information in payload will require an
   application level gateway (ALG) to make the payload meaningful in
   both realms. However, applications that require assistance of an ALG
   en-route cannot pursue end-to-end application level security.






Srisuresh                    Informational