| blob | 827f5b3732cbef8dc6b7d20bdd7e8d28016d8d30 |
7 Network Working Group B. Aboba
8 Request for Comments: 3715 W. Dixon
9 Category: Informational Microsoft
10 March 2004
13 IPsec-Network Address Translation (NAT) Compatibility Requirements
15 Status of this Memo
17 This memo provides information for the Internet community. It does
18 not specify an Internet standard of any kind. Distribution of this
19 memo is unlimited.
21 Copyright Notice
23 Copyright (C) The Internet Society (2004). All Rights Reserved.
25 Abstract
27 This document describes known incompatibilities between Network
28 Address Translation (NAT) and IPsec, and describes the requirements
29 for addressing them. Perhaps the most common use of IPsec is in
30 providing virtual private networking capabilities. One very popular
31 use of Virtual Private Networks (VPNs) is to provide telecommuter
32 access to the corporate Intranet. Today, NATs are widely deployed in
33 home gateways, as well as in other locations likely to be used by
34 telecommuters, such as hotels. The result is that IPsec-NAT
35 incompatibilities have become a major barrier in the deployment of
36 IPsec in one of its principal uses.
58 Aboba & Dixon Informational [Page 1]
59 \f
60 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
63 Table of Contents
65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
66 1.1. Requirements Language. . . . . . . . . . . . . . . . . . 2
67 2. Known Incompatibilities between NA(P)T and IPsec . . . . . . . 3
68 2.1. Intrinsic NA(P)T Issues. . . . . . . . . . . . . . . . . 3
69 2.2. NA(P)T Implementation Weaknesses . . . . . . . . . . . . 7
70 2.3. Helper Incompatibilities . . . . . . . . . . . . . . . . 8
71 3. Requirements for IPsec-NAT Compatibility . . . . . . . . . . . 8
72 4. Existing Solutions . . . . . . . . . . . . . . . . . . . . . . 12
73 4.1. IPsec Tunnel Mode. . . . . . . . . . . . . . . . . . . . 12
74 4.2. RSIP . . . . . . . . . . . . . . . . . . . . . . . . . . 13
75 4.3. 6to4 . . . . . . . . . . . . . . . . . . . . . . . . . . 13
76 5. Security Considerations. . . . . . . . . . . . . . . . . . . . 14
77 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
78 6.1. Normative References . . . . . . . . . . . . . . . . . . 15
79 6.2. Informative References . . . . . . . . . . . . . . . . . 16
80 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17
81 8. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 17
82 9 . Full Copyright Statement . . . . . . . . . . . . . . . . . . . 18
84 1. Introduction
86 Perhaps the most common use of IPsec [RFC2401] is in providing
87 virtual private networking (VPN) capabilities. One very popular use
88 of VPNs is to provide telecommuter access to the corporate Intranet.
89 Today, Network Address Translations (NATs) as described in [RFC3022]
90 and [RFC2663], are widely deployed in home gateways, as well as in
91 other locations likely to be used by telecommuters, such as hotels.
92 The result is that IPsec-NAT incompatibilities have become a major
93 barrier in the deployment of IPsec in one of its principal uses.
94 This document describes known incompatibilities between NAT and
95 IPsec, and describes the requirements for addressing them.
97 1.1. Requirements Language
99 In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
100 "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
101 described in [RFC2119].
103 Please note that the requirements specified in this document are to
104 be used in evaluating protocol submissions. As such, the
105 requirements language refers to capabilities of these protocols; the
106 protocol documents will specify whether these features are required,
107 recommended, or optional. For example, requiring that a protocol
108 support confidentiality is not the same thing as requiring that all
109 protocol traffic be encrypted.
114 Aboba & Dixon Informational [Page 2]
115 \f
116 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
119 A protocol submission is not compliant if it fails to satisfy one or
120 more of the MUST or MUST NOT requirements for the capabilities that
121 it implements. A protocol submission that satisfies all the MUST,
122 MUST NOT, SHOULD, and SHOULD NOT requirements for its capabilities is
123 said to be "unconditionally compliant"; one that satisfies all the
124 MUST and MUST NOT requirements, but not all the SHOULD or SHOULD NOT
125 requirements for its protocols is said to be "conditionally
126 compliant."
128 2. Known Incompatibilities between NA(P)T and IPsec
130 The incompatibilities between NA(P)T and IPsec can be divided into
131 three categories:
133 1) Intrinsic NA(P)T issues. These incompatibilities derive directly
134 from the NA(P)T functionality described in [RFC3022]. These
135 incompatibilities will therefore be present in any NA(P)T device.
137 2) NA(P)T implementation weaknesses. These incompatibilities are not
138 intrinsic to NA(P)T, but are present in many NA(P)T
139 implementations. Included in this category are problems in
140 handling inbound or outbound fragments. Since these issues are
141 not intrinsic to NA(P)T, they can, in principle, be addressed in
142 future NA(P)T implementations. However, since the implementation
143 problems appear to be wide spread, they need to be taken into
144 account in a NA(P)T traversal solution.
146 3) Helper issues. These incompatibilities are present in NA(P)T
147 devices which attempt to provide for IPsec NA(P)T traversal.
148 Ironically, this "helper" functionality creates further
149 incompatibilities, making an already difficult problem harder to
150 solve. While IPsec traversal "helper" functionality is not
151 present in all NA(P)Ts, these features are becoming sufficiently
152 popular that they also need to be taken into account in a NA(P)T
153 traversal solution.
155 2.1. Intrinsic NA(P)T Issues
157 Incompatibilities that are intrinsic to NA(P)T include:
159 a) Incompatibility between IPsec AH [RFC2402] and NAT. Since the AH
160 header incorporates the IP source and destination addresses in the
161 keyed message integrity check, NAT or reverse NAT devices making
162 changes to address fields will invalidate the message integrity
163 check. Since IPsec ESP [RFC2406] does not incorporate the IP
164 source and destination addresses in its keyed message integrity
165 check, this issue does not arise for ESP.
170 Aboba & Dixon Informational [Page 3]
171 \f
172 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
175 b) Incompatibility between checksums and NAT. TCP and UDP checksums
176 have a dependency on the IP source and destination addresses
177 through inclusion of the "pseudo-header" in the calculation. As a
178 result, where checksums are calculated and checked upon receipt,
179 they will be invalidated by passage through a NAT or reverse NAT
180 device.
182 As a result, IPsec Encapsulating Security Payload (ESP) will only
183 pass through a NAT unimpeded if TCP/UDP protocols are not involved
184 (as in IPsec tunnel mode or IPsec protected GRE), or checksums are
185 not calculated (as is possible with IPv4 UDP). As described in
186 [RFC793], TCP checksum calculation and verification is required in
187 IPv4. UDP/TCP checksum calculation and verification is required
188 in IPv6.
190 Stream Control Transmission Protocol (SCTP), as defined in
191 [RFC2960] and [RFC3309], uses a CRC32C algorithm calculated only
192 on the SCTP packet (common header + chunks), so that the IP header
193 is not covered. As a result, NATs do not invalidate the SCTP CRC,
194 and the problem does not arise.
196 Note that since transport mode IPsec traffic is integrity
197 protected and authenticated using strong cryptography,
198 modifications to the packet can be detected prior to checking
199 UDP/TCP checksums. Thus, checksum verification only provides
200 assurance against errors made in internal processing.
202 c) Incompatibility between IKE address identifiers and NAT. Where IP
203 addresses are used as identifiers in Internet Key Exchange
204 Protocol (IKE) Phase 1 [RFC2409] or Phase 2, modification of the
205 IP source or destination addresses by NATs or reverse NATs will
206 result in a mismatch between the identifiers and the addresses in
207 the IP header. As described in [RFC2409], IKE implementations are
208 required to discard such packets.
210 In order to avoid use of IP addresses as IKE Phase 1 and Phase 2
211 identifiers, userIDs and FQDNs can be used instead. Where user
212 authentication is desired, an ID type of ID_USER_FQDN can be used,
213 as described in [RFC2407]. Where machine authentication is
214 desired, an ID type of ID_FQDN can be used. In either case, it is
215 necessary to verify that the proposed identifier is authenticated
216 as a result of processing an end-entity certificate, if
217 certificates are exchanged in Phase 1. While use of USER_FQDN or
218 FQDN identity types is possible within IKE, there are usage
219 scenarios (e.g. Security Policy Database (SPD) entries describing
220 subnets) that cannot be accommodated this way.
226 Aboba & Dixon Informational [Page 4]
227 \f
228 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
231 Since the source address in the Phase 2 identifier is often used
232 to form a full 5-tuple inbound SA selector, the destination
233 address, protocol, source port and destination port can be used in
234 the selector so as not to weaken inbound SA processing.
236 d) Incompatibility between fixed IKE source ports and NAPT. Where
237 multiple hosts behind the NAPT initiate IKE SAs to the same
238 responder, a mechanism is needed to allow the NAPT to demultiplex
239 the incoming IKE packets from the responder. This is typically
240 accomplished by translating the IKE UDP source port on outbound
241 packets from the initiator. Thus responders must be able to
242 accept IKE traffic from a UDP source port other than 500, and must
243 reply to that port. Care must be taken to avoid unpredictable
244 behavior during re-keys. If the floated source port is not used
245 as the destination port for the re-key, the NAT may not be able to
246 send the re-key packets to the correct destination.
248 e) Incompatibilities between overlapping SPD entries and NAT. Where
249 initiating hosts behind a NAT use their source IP addresses in
250 Phase 2 identifiers, they can negotiate overlapping SPD entries
251 with the same responder IP address. The responder could then send
252 packets down the wrong IPsec SA. This occurs because to the
253 responder, the IPsec SAs appear to be equivalent, since they exist
254 between the same endpoints and can be used to pass the same
255 traffic.
257 f) Incompatibilities between IPsec SPI selection and NAT. Since
258 IPsec ESP traffic is encrypted and thus opaque to the NAT, the NAT
259 must use elements of the IP and IPsec header to demultiplex
260 incoming IPsec traffic. The combination of the destination IP
261 address, security protocol (AH/ESP), and IPsec SPI is typically
262 used for this purpose.
264 However, since the outgoing and incoming SPIs are chosen
265 independently, there is no way for the NAT to determine what
266 incoming SPI corresponds to what destination host merely by
267 inspecting outgoing traffic. Thus, were two hosts behind the NAT
268 to attempt to create IPsec SAs at the same destination
269 simultaneously, it is possible that the NAT will deliver the
270 incoming IPsec packets to the wrong destination.
272 Note that this is not an incompatibility with IPsec per se, but
273 rather with the way it is typically implemented. With both AH and
274 ESP, the receiving host specifies the SPI to use for a given SA, a
275 choice which is significant only to the receiver. At present, the
276 combination of Destination IP, SPI, and Security Protocol (AH,
277 ESP) uniquely identifies a Security Association. Also, SPI values
278 in the range 1-255 are reserved to IANA and may be used in the
282 Aboba & Dixon Informational [Page 5]
283 \f
284 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
287 future. This means that, when negotiating with the same external
288 host or gateway, the internal hosts behind the same NAPT can
289 select the same SPI value, such that one host inbound SA is
290 (SPI=470, Internal Dest IP=192.168.0.4)
291 and a different host inbound SA is
292 (SPI=470, Internal Dest IP=192.168.0.5).
293 The receiving NAPT will not be able to determine which internal
294 host an inbound IPsec packet with SPI=470 should be forwarded to.
296 It is also possible for the receiving host to allocate a unique
297 SPI to each unicast Security Association. In this case, the
298 Destination IP Address need only be checked to see if it is "any
299 valid unicast IP for this host", not checked to see if it is the
300 specific Destination IP address used by the sending host. Using
301 this technique, the NA(P)T can be assured of a low but non-zero
302 chance of forwarding packets to the wrong internal host, even when
303 two or more hosts establish SAs with the same external host.
305 This approach is completely backwards compatible, and only
306 requires the particular receiving host to make a change to its SPI
307 allocation and IPsec_esp_input() code. However, NA(P)T devices
308 may not be able to detect this behavior without problems
309 associated with parsing IKE payloads. And a host may still be
310 required to use a SPI in the IANA reserved range for the assigned
311 purpose.
313 g) Incompatibilities between embedded IP addresses and NAT. Since
314 the payload is integrity protected, any IP addresses enclosed
315 within IPsec packets will not be translatable by a NAT. This
316 renders ineffective Application Layer Gateways (ALGs) implemented
317 within NATs. Protocols that utilize embedded IP addresses include
318 FTP, IRC, SNMP, LDAP, H.323, SIP, SCTP (optionally), and many
319 games. To address this issue, it is necessary to install ALGs on
320 the host or security gateway that can operate on application
321 traffic prior to IPsec encapsulation and after IPsec
322 decapsulation.
324 h) Implicit directionality of NA(P)T. NA(P)Ts often require an
325 initial outbound packet to flow through them in order to create an
326 inbound mapping state. Directionality prohibits unsolicited
327 establishment of IPsec SAs to hosts behind the NA(P)T.
329 i) Inbound SA selector verification. Assuming IKE negotiates phase 2
330 selectors, inbound SA processing will drop the decapsulated
331 packet, since [RFC2401] requires a packet's source address match
332 the SA selector value, which NA(P)T processing of an ESP packet
333 would change.
338 Aboba & Dixon Informational [Page 6]
339 \f
340 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
343 2.2. NA(P)T Implementation Weaknesses
345 Implementation problems present in many NA(P)Ts include:
347 j) Inability to handle non-UDP/TCP traffic. Some NA(P)Ts discard
348 non-UDP/TCP traffic or perform address-only translation when only
349 one host is behind the NAT. Such NAPTs are unable to enable SCTP,
350 ESP (protocol 50), or AH (protocol 51) traffic.
352 k) NAT mapping timeouts. NA(P)Ts vary in the time for which a UDP
353 mapping will be maintained in the absence of traffic. Thus, even
354 where IKE packets can be correctly translated, the translation
355 state may be removed prematurely.
357 l) Inability to handle outgoing fragments. Most NA(P)Ts can properly
358 fragment outgoing IP packets in the case where the IP packet size
359 exceeds the MTU on the outgoing interface. However, proper
360 translation of outgoing packets that are already fragmented is
361 difficult and most NAPTs do not handle this correctly. As noted
362 in Section 6.3 of [RFC3022], where two hosts originate fragmented
363 packets to the same destination, the fragment identifiers can
364 overlap. Since the destination host relies on the fragmentation
365 identifier and fragment offset for reassembly, the result will be
366 data corruption. Few NA(P)Ts protect against identifier
367 collisions by supporting identifier translation. Identifier
368 collisions are not an issue when NATs perform the fragmentation,
369 since the fragment identifier need only be unique within a
370 source/destination IP address pair.
372 Since a fragment can be as small as 68 octets [RFC791], there is
373 no guarantee that the first fragment will contain a complete TCP
374 header. Thus, a NA(P)T looking to recalculate the TCP checksum
375 may need to modify a subsequent fragment. Since fragments can be
376 reordered, and IP addresses can be embedded and possibly even
377 split between fragments, the NA(P)T will need to perform
378 reassembly prior to completing the translation. Few NA(P)Ts
379 support this.
381 m) Inability to handle incoming fragments. Since only the first
382 fragment will typically contain a complete IP/UDP/SCTP/TCP header,
383 NAPTs need to be able to perform the translation based on the
384 source/dest IP address and fragment identifier alone. Since
385 fragments can be reordered, the headers to a given fragment
386 identifier may not be known if a subsequent fragment arrives prior
387 to the initial one, and the headers may be split between
388 fragments. As a result, the NAPT may need to perform reassembly
389 prior to completing the translation. Few NAPTs support this.
390 Note that with NAT, the source/dest IP address is enough to
394 Aboba & Dixon Informational [Page 7]
395 \f
396 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
399 determine the translation so that this does not arise. However,
400 it is possible for the IPsec or IKE headers to be split between
401 fragments, so that reassembly may still be required.
403 2.3. Helper Incompatibilities
405 Incompatibilities between IPsec and NAT "helper" functionality
406 include:
408 n) Internet Security Association and Key Management Protocol (ISAKMP)
409 header inspection. Today some NAT implementations attempt to use
410 IKE cookies to de-multiplex incoming IKE traffic. As with
411 source-port de-multiplexing, IKE cookie de-multiplexing results in
412 problems with re-keying, since Phase 1 re-keys typically will not
413 use the same cookies as the earlier traffic.
415 o) Special treatment of port 500. Since some IKE implementations are
416 unable to handle non-500 UDP source ports, some NATs do not
417 translate packets with a UDP source port of 500. This means that
418 these NATs are limited to one IPsec client per destination
419 gateway, unless they inspect details of the ISAKMP header to
420 examine cookies which creates the problem noted above.
422 p) ISAKMP payload inspection. NA(P)T implementations that attempt to
423 parse ISAKMP payloads may not handle all payload ordering
424 combinations, or support vendor_id payloads for IKE option
425 negotiation.
427 3. Requirements for IPsec-NAT Compatibility
429 The goal of an IPsec-NAT compatibility solution is to expand the
430 range of usable IPsec functionality beyond that available in the
431 NAT-compatible IPsec tunnel mode solution described in Section 2.3.
433 In evaluating a solution to IPsec-NAT incompatibility, the following
434 criteria should be kept in mind:
436 Deployment
438 Since IPv6 will address the address scarcity issues that
439 frequently lead to use of NA(P)Ts with IPv4, the IPsec-NAT
440 compatibility issue is a transitional problem that needs to be
441 solved in the time frame prior to widespread deployment of IPv6.
442 Therefore, to be useful, an IPsec-NAT compatibility solution MUST
443 be deployable on a shorter time scale than IPv6.
450 Aboba & Dixon Informational [Page 8]
451 \f
452 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
455 Since IPv6 deployment requires changes to routers as well as
456 hosts, a potential IPsec-NAT compatibility solution, which
457 requires changes to both routers and hosts, will be deployable on
458 approximately the same time scale as IPv6. Thus, an IPsec-NAT
459 compatibility solution SHOULD require changes only to hosts, and
460 not to routers.
462 Among other things, this implies that communication between the
463 host and the NA(P)T SHOULD NOT be required by an IPsec-NAT
464 compatibility solution, since that would require changes to the
465 NA(P)Ts, and interoperability testing between the host and NA(P)T
466 implementations. In order to enable deployment in the short term,
467 it is necessary for the solution to work with existing router and
468 NA(P)T products within the deployed infrastructure.
470 Protocol Compatibility
472 An IPsec NAT traversal solution is not expected to resolve issues
473 with protocols that cannot traverse NA(P)T when unsecured with
474 IPsec. Therefore, ALGs may still be needed for some protocols,
475 even when an IPsec NAT traversal solution is available.
477 Security
479 Since NA(P)T directionality serves a security function, IPsec
480 NA(P)T traversal solutions should not allow arbitrary incoming
481 IPsec or IKE traffic from any IP address to be received by a host
482 behind the NA(P)T, although mapping state should be maintained
483 once bidirectional IKE and IPsec communication is established.
485 Telecommuter Scenario
487 Since one of the primary uses of IPsec is remote access to
488 corporate Intranets, a NA(P)T traversal solution MUST support
489 NA(P)T traversal, via either IPsec tunnel mode or L2TP over IPsec
490 transport mode [RFC3193]. This includes support for traversal of
491 more than one NA(P)T between the remote client and the VPN
492 gateway.
494 The client may have a routable address and the VPN gateway may be
495 behind at least one NA(P)T, or alternatively, both the client and
496 the VPN gateway may be behind one or more NA(P)Ts. Telecommuters
497 may use the same private IP address, each behind their own NA(P)T,
498 or many telecommuters may reside on a private network behind the
499 same NA(P)T, each with their own unique private address,
500 connecting to the same VPN gateway. Since IKE uses UDP port 500
501 as the destination, it is not necessary to enable multiple VPN
502 gateways operating behind the same external IP address.
506 Aboba & Dixon Informational [Page 9]
507 \f
508 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
511 Gateway-to-Gateway Scenario
513 In a gateway-gateway scenario, a privately addressed network (DMZ)
514 may be inserted between the corporate network and the Internet.
515 In this design, IPsec security gateways connecting portions of the
516 corporate network may be resident in the DMZ and have private
517 addresses on their external (DMZ) interfaces. A NA(P)T connects
518 the DMZ network to the Internet.
520 End-to-End Scenario
522 A NAT-IPsec solution MUST enable secure host-host TCP/IP
523 communication via IPsec, as well as host-gateway communications.
524 A host on a private network MUST be able to bring up one or
525 multiple IPsec-protected TCP connections or UDP sessions to
526 another host with one or more NA(P)Ts between them. For example,
527 NA(P)Ts may be deployed within branch offices connecting to the
528 corporate network, with an additional NA(P)T connecting the
529 corporate network to the Internet. Likewise, NA(P)Ts may be
530 deployed within a corporate network LAN or WAN to connect wireless
531 or remote location clients to the corporate network. This may
532 require special processing of TCP and UDP traffic on the host.
534 Bringing up SCTP connections to another host with one or more NA(P)Ts
535 between them may present special challenges. SCTP supports multi-
536 homing. If more than one IP address is used, these addresses are
537 transported as part of the SCTP packet during the association setup
538 (in the INIT and INIT-ACK chunks). If only single homed SCTP end-
539 points are used, [RFC2960] section 3.3.2.1 states:
541 Note that not using any IP address parameters in the INIT and
542 INIT-ACK is an alternative to make an association more likely
543 to work across a NAT box.
545 This implies that IP addresses should not be put into the SCTP packet
546 unless necessary. If NATs are present and IP addresses are included,
547 then association setup will fail. Recently [AddIP] has been proposed
548 which allows the modification of the IP address once an association
549 is established. The modification messages have also IP addresses in
550 the SCTP packet, and so will be adversely affected by NATs.
552 Firewall Compatibility
554 Since firewalls are widely deployed, a NAT-IPsec compatibility
555 solution MUST enable a firewall administrator to create simple,
556 static access rule(s) to permit or deny IKE and IPsec NA(P)T
557 traversal traffic. This implies, for example, that dynamic
558 allocation of IKE or IPsec destination ports is to be avoided.
562 Aboba & Dixon Informational [Page 10]
563 \f
564 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
567 Scaling
569 An IPsec-NAT compatibility solution should be capable of being
570 deployed within an installation consisting of thousands of
571 telecommuters. In this situation, it is not possible to assume
572 that only a single host is communicating with a given destination
573 at a time. Thus, an IPsec-NAT compatibility solution MUST address
574 the issue of overlapping SPD entries and de-multiplexing of
575 incoming packets.
577 Mode Support
579 At a minimum, an IPsec-NAT compatibility solution MUST support
580 traversal of the IKE and IPsec modes required for support within
581 [RFC2409] and [RFC2401]. For example, an IPsec gateway MUST
582 support ESP tunnel mode NA(P)T traversal, and an IPsec host MUST
583 support IPsec transport mode NA(P)T traversal. The purpose of AH
584 is to protect immutable fields within the IP header (including
585 addresses), and NA(P)T translates addresses, invalidating the AH
586 integrity check. As a result, NA(P)T and AH are fundamentally
587 incompatible and there is no requirement that an IPsec-NAT
588 compatibility solution support AH transport or tunnel mode.
590 Backward Compatibility and Interoperability
592 An IPsec-NAT compatibility solution MUST be interoperable with
593 existing IKE/IPsec implementations, so that they can communicate
594 where no NA(P)T is present. This implies that an IPsec-NAT
595 compatibility solution MUST be backwards-compatible with IPsec as
596 defined in [RFC2401] and IKE as defined in [RFC2409]. In
597 addition, it SHOULD be able to detect the presence of a NA(P)T, so
598 that NA(P)T traversal support is only used when necessary. This
599 implies that it MUST be possible to determine that an existing IKE
600 implementation does not support NA(P)T traversal, so that a
601 standard IKE conversation can occur, as described in [RFC2407],
602 [RFC2408], and [RFC2409]. Note that while this implies initiation
603 of IKE to port 500, there is no requirement for a specific source
604 port, so that UDP source port 500 may or may not be used.
606 Security
608 An IPsec-NAT compatibility solution MUST NOT introduce additional
609 IKE or IPsec security vulnerabilities. For example, an acceptable
610 solution must demonstrate that it introduces no new denial of
611 service or spoofing vulnerabilities. IKE MUST be allowed to re-
612 key in a bi-directional manner as described in [RFC2408].
618 Aboba & Dixon Informational [Page 11]
619 \f
620 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
623 4. Existing Solutions
625 4.1. IPsec Tunnel Mode
627 In a limited set of circumstances, it is possible for an IPsec tunnel
628 mode implementation, such as that described in [DHCP], to traverse
629 NA(P)T successfully. However, the requirements for successful
630 traversal are sufficiently limited so that a more general solution is
631 needed:
633 1) IPsec ESP. IPsec ESP tunnels do not cover the outer IP header
634 within the message integrity check, and so will not suffer
635 Authentication Data invalidation due to address translation.
636 IPsec tunnels also need not be concerned about checksum
637 invalidation.
639 2) No address validation. Most current IPsec tunnel mode
640 implementations do not perform source address validation so that
641 incompatibilities between IKE identifiers and source addresses
642 will not be detected. This introduces security vulnerabilities as
643 described in Section 5.
645 3) "Any to Any" SPD entries. IPsec tunnel mode clients can negotiate
646 "any to any" SPDs, which are not invalidated by address
647 translation. This effectively precludes use of SPDs for the
648 filtering of allowed tunnel traffic.
650 4) Single client operation. With only a single client behind a NAT,
651 there is no risk of overlapping SPDs. Since the NAT will not need
652 to arbitrate between competing clients, there is also no risk of
653 re-key mis-translation, or improper incoming SPI or cookie
654 de-multiplexing.
656 5) No fragmentation. When certificate authentication is used, IKE
657 fragmentation can be encountered. This can occur when certificate
658 chains are used, or even when exchanging a single certificate if
659 the key size, or the size of other certificate fields (such as the
660 distinguished name and other extensions), is large enough.
661 However, when pre-shared keys are used for authentication,
662 fragmentation is less likely.
664 6) Active sessions. Most VPN sessions typically maintain ongoing
665 traffic flow during their lifetime so that UDP port mappings are
666 less likely be removed due to inactivity.
674 Aboba & Dixon Informational [Page 12]
675 \f
676 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
679 4.2. RSIP
681 RSIP, described in [RSIP] and [RSIPFrame], includes mechanisms for
682 IPsec traversal, as described in [RSIPsec]. By enabling host-NA(P)T
683 communication, RSIP addresses issues of IPsec SPI de-multiplexing, as
684 well as SPD overlap. It is thus suitable for use in enterprises, as
685 well as home networking scenarios. By enabling hosts behind a NAT to
686 share the external IP address of the NA(P)T (the RSIP gateway), this
687 approach is compatible with protocols including embedded IP
688 addresses.
690 By tunneling IKE and IPsec packets, RSIP avoids changes to the IKE
691 and IPsec protocols, although major changes are required to host IKE
692 and IPsec implementations to retrofit them for RSIP-compatibility.
693 It is thus compatible with all existing protocols (AH/ESP) and modes
694 (transport and tunnel).
696 In order to handle de-multiplexing of IKE re-keys, RSIP requires
697 floating of the IKE source port, as well as re-keying to the floated
698 port. As a result, interoperability with existing IPsec
699 implementations is not assured.
701 RSIP does not satisfy the deployment requirements for an IPsec-NAT
702 compatibility solution because an RSIP-enabled host requires a
703 corresponding RSIP-enabled gateway in order to establish an IPsec SA
704 with another host. Since RSIP requires changes only to clients and
705 routers and not to servers, it is less difficult to deploy than IPv6.
706 However, for vendors, implementation of RSIP requires a substantial
707 fraction of the resources required for IPv6 support. Thus, RSIP
708 solves a "transitional" problem on a long-term time scale, which is
709 not useful.
711 4.3. 6to4
713 6to4, as described in [RFC3056] can form the basis for an IPsec-NAT
714 traversal solution. In this approach, the NAT provides IPv6 hosts
715 with an IPv6 prefix derived from the NAT external IPv4 address, and
716 encapsulates IPv6 packets in IPv4 for transmission to other 6to4
717 hosts or 6to4 relays. This enables an IPv6 host using IPsec to
718 communicate freely to other hosts within the IPv6 or 6to4 clouds.
720 While 6to4 is an elegant and robust solution where a single NA(P)T
721 separates a client and VPN gateway, it is not universally applicable.
722 Since 6to4 requires the assignment of a routable IPv4 address to the
723 NA(P)T in order to allow formation of an IPv6 prefix, it is not
724 usable where multiple NA(P)Ts exist between the client and VPN
730 Aboba & Dixon Informational [Page 13]
731 \f
732 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
735 gateway. For example, an NA(P)T with a private address on its
736 external interface cannot be used by clients behind it to obtain an
737 IPv6 prefix via 6to4.
739 While 6to4 requires little additional support from hosts that already
740 support IPv6, it does require changes to NATs, which need to be
741 upgraded to support 6to4. As a result, 6to4 may not be suitable for
742 deployment in the short term.
744 5. Security Considerations
746 By definition, IPsec-NAT compatibility requires that hosts and
747 routers implementing IPsec be capable of securely processing packets
748 whose IP headers are not cryptographically protected. A number of
749 issues arise from this that are worth discussing.
751 Since IPsec AH cannot pass through a NAT, one of the side effects of
752 providing an IPsec-NAT compatibility solution may be for IPsec ESP
753 with null encryption to be used in place of AH where a NAT exists
754 between the source and destination. However, it should be noted that
755 ESP with null encryption does not provide the same security
756 properties as AH. For example, there are security risks relating to
757 IPv6 source routing that are precluded by AH, but not by ESP with
758 null encryption.
760 In addition, since ESP with any transform does not protect against
761 source address spoofing, some sort of source IP address sanity
762 checking needs to be performed. The importance of the anti-spoofing
763 check is not widely understood. There is normally an anti-spoofing
764 check on the Source IP Address as part of IPsec_{esp,ah}_input().
765 This ensures that the packet originates from the same address as that
766 claimed within the original IKE Phase 1 and Phase 2 security
767 associations. When a receiving host is behind a NAT, this check
768 might not strictly be meaningful for unicast sessions, whereas in the
769 Global Internet this check is important for tunnel-mode unicast
770 sessions to prevent a spoofing attack described in [AuthSource],
771 which can occur when access controls on the receiver depend upon the
772 source IP address of verified ESP packets after decapsulation.
773 IPsec-NAT compatibility schemes should provide anti-spoofing
774 protection if it uses source addresses for access controls.
776 Let us consider two hosts, A and C, both behind (different) NATs, who
777 negotiate IPsec tunnel mode SAs to router B. Hosts A and C may have
778 different privileges; for example, host A might belong to an employee
779 trusted to access much of the corporate Intranet, while C might be a
780 contractor only authorized to access a specific web site.
786 Aboba & Dixon Informational [Page 14]
787 \f
788 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
791 If host C sends a tunnel mode packet spoofing A's IP address as the
792 source, it is important that this packet not be accorded the
793 privileges corresponding to A. If authentication and integrity
794 checking is performed, but no anti-spoofing check (verifying that the
795 originating IP address corresponds to the SPI) then host C may be
796 allowed to reach parts of the network that are off limits. As a
797 result, an IPsec-NAT compatibility scheme MUST provide some degree of
798 anti-spoofing protection.
800 6. References
802 6.1. Normative References
804 [RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791,
805 September 1981.
807 [RFC793] Postel, J., "Transmission Control Protocol", STD 7, RFC
808 793, September 1981.
810 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
811 Requirement Levels", BCP 14, RFC 2119, March 1997.
813 [RFC2401] Atkinson, R. and S. Kent, "Security Architecture for the
814 Internet Protocol", RFC 2401, November 1998.
816 [RFC2402] Kent, S. and R. Atkinson, "IP Authentication Header",
817 RFC 2402, November 1998.
819 [RFC2406] Kent,S. and R. Atkinson, "IP Encapsulating Security
820 Payload (ESP)", RFC 2406, November 1998.
822 [RFC2407] Piper, D., "The Internet IP Security Domain of
823 Interpretation for ISAKMP", RFC 2407, November 1998.
825 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
826 (IKE)", RFC 2409, November 1998.
828 [RFC2663] Srisuresh, P. and M. Holdredge, "IP Network Address
829 Translator (NAT) Terminology and Considerations", RFC
830 2663, August 1999.
832 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
833 Address Translator (Traditional NAT)", RFC 3022, January
834 2001.
842 Aboba & Dixon Informational [Page 15]
843 \f
844 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
847 6.2. Informative References
849 [RFC2408] Maughan, D., Schertler, M., Schneider, M. and J. Turner,
850 "Internet Security Association and Key Management
851 Protocol (ISAKMP)", RFC 2408, November 1998.
853 [RFC2960] Stewart, R., Xie, Q., Morneault, K., Sharp, C.,
854 Schwarzbauer, H., Taylor, T., Rytina, I., Kalla, M.,
855 Zhang, M. and V. Paxson, "Stream Control Transmission
856 Protocol", RFC 2960, October 2000.
858 [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains
859 via IPv4 Clouds", RFC 3056, February 2001.
861 [RFC3193] Patel, B., Aboba, B., Dixon, W., Zorn, G. and S. Booth,
862 "Securing L2TP using IPsec", RFC 3193, November 2001.
864 [RFC3309] Stone, J., Stewart, R. and D. Otis, "Stream Control
865 Transmission Protocol (SCTP) Checksum Change", RFC 3309,
866 September 2002.
868 [RSIPFrame] Borella, M., Lo, J., Grabelsky, D. and G. Montenegro,
869 "Realm Specific IP: Framework", RFC 3102, October 2001.
871 [RSIP] Borella, M., Grabelsky, D., Lo, J. and K. Taniguchi,
872 "Realm Specific IP: Protocol Specification", RFC 3103,
873 October 2001.
875 [RSIPsec] Montenegro, G. and M. Borella, "RSIP Support for End-
876 to-End IPsec", RFC 3104, October 2001.
878 [DHCP] Patel, B., Aboba, B., Kelly, S. and V. Gupta, "Dynamic
879 Host Configuration Protocol (DHCPv4) Configuration of
880 IPsec Tunnel Mode", RFC 3456, January 2003.
882 [AuthSource] Kent, S., "Authenticated Source Addresses", IPsec WG
883 Archive (ftp://ftp.ans.net/pub/archive/IPsec), Message-
884 Id: <v02130517ad121773c8ed@[128.89.0.110]>, January 5,
885 1996.
887 [AddIP] Stewart, R., et al., "Stream Control Transmission
888 Protocol (SCTP) Dynamic Address Reconfiguration", Work
889 in Progress.
898 Aboba & Dixon Informational [Page 16]
899 \f
900 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
903 7. Acknowledgments
905 Thanks to Steve Bellovin of AT&T Research, Michael Tuexen of Siemens,
906 Peter Ford of Microsoft, Ran Atkinson of Extreme Networks, and Daniel
907 Senie for useful discussions of this problem space.
909 8. Authors' Addresses
911 Bernard Aboba
912 Microsoft Corporation
913 One Microsoft Way
914 Redmond, WA 98052
916 Phone: +1 425 706 6605
917 Fax: +1 425 936 7329
918 EMail: bernarda@microsoft.com
921 William Dixon
922 V6 Security, Inc.
923 601 Union Square, Suite #4200-300
924 Seattle, WA 98101
926 EMail: ietf-wd@v6security.com
954 Aboba & Dixon Informational [Page 17]
955 \f
956 RFC 3715 IPsec-NAT Compatibility Requirements March 2004
959 9. Full Copyright Statement
961 Copyright (C) The Internet Society (2004). This document is subject
962 to the rights, licenses and restrictions contained in BCP 78 and
963 except as set forth therein, the authors retain all their rights.
965 This document and the information contained herein are provided on an
966 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
967 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
968 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
969 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
970 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
971 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
973 Intellectual Property
975 The IETF takes no position regarding the validity or scope of any
976 Intellectual Property Rights or other rights that might be claimed to
977 pertain to the implementation or use of the technology described in
978 this document or the extent to which any license under such rights
979 might or might not be available; nor does it represent that it has
980 made any independent effort to identify any such rights. Information
981 on the procedures with respect to rights in RFC documents can be
982 found in BCP 78 and BCP 79.
984 Copies of IPR disclosures made to the IETF Secretariat and any
985 assurances of licenses to be made available, or the result of an
986 attempt made to obtain a general license or permission for the use of
987 such proprietary rights by implementers or users of this
988 specification can be obtained from the IETF on-line IPR repository at
989 http://www.ietf.org/ipr.
991 The IETF invites any interested party to bring to its attention any
992 copyrights, patents or patent applications, or other proprietary
993 rights that may cover technology that may be required to implement
994 this standard. Please address the information to the IETF at ietf-
995 ipr@ietf.org.
997 Acknowledgement
999 Funding for the RFC Editor function is currently provided by the
1000 Internet Society.
1010 Aboba & Dixon Informational [Page 18]
1011 \f