1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
|
Independent Submission P. Srisuresh
Request for Comments: 5684 EMC Corporation
Category: Informational B. Ford
ISSN: 2070-1721 Yale University
February 2010
Unintended Consequences of NAT Deployments
with Overlapping Address Space
Abstract
This document identifies two deployment scenarios that have arisen
from the unconventional network topologies formed using Network
Address Translator (NAT) devices. First, the simplicity of
administering networks through the combination of NAT and DHCP has
increasingly lead to the deployment of multi-level inter-connected
private networks involving overlapping private IP address spaces.
Second, the proliferation of private networks in enterprises, hotels
and conferences, and the wide-spread use of Virtual Private Networks
(VPNs) to access an enterprise intranet from remote locations has
increasingly lead to overlapping private IP address space between
remote and corporate networks. This document does not dismiss these
unconventional scenarios as invalid, but recognizes them as real and
offers recommendations to help ensure these deployments can
function without a meltdown.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any
other RFC stream. The RFC Editor has chosen to publish this
document at its discretion and makes no statement about its value
for implementation or deployment. Documents approved for
publication by the RFC Editor are not a candidate for any level of
Internet Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc5684.
Srisuresh & Ford Informational [Page 1]
^L
RFC 5684 Complications from NAT Deployments February 2010
Copyright
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http:trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction and Scope ..........................................3
2. Terminology and Conventions Used ................................4
3. Multi-Level NAT Network Topologies ..............................4
3.1. Operational Details of the Multi-Level NAT Network .........6
3.1.1. Client/Server Communication .........................7
3.1.2. Peer-to-Peer Communication ..........................7
3.2. Anomalies of the Multi-Level NAT Network ...................8
3.2.1. Plug-and-Play NAT Devices ..........................10
3.2.2. Unconventional Addressing on NAT Devices ...........11
3.2.3. Multi-Level NAT Translations .......................12
3.2.4. Mistaken End Host Identity .........................13
4. Remote Access VPN Network Topologies ...........................14
4.1. Operational Details of the Remote Access VPN Network ......17
4.2. Anomalies of the Remote Access VPNs .......................18
4.2.1. Remote Router and DHCP Server Address Conflict .....18
4.2.2. Simultaneous Connectivity Conflict .................20
4.2.3. VIP Address Conflict ...............................21
4.2.4. Mistaken End Host Identity .........................22
5. Summary of Recommendations .....................................22
6. Security Considerations ........................................24
7. Acknowledgements ...............................................24
8. References .....................................................25
8.1. Normative References ......................................25
8.2. Informative References ....................................25
Srisuresh & Ford Informational [Page 2]
^L
RFC 5684 Complications from NAT Deployments February 2010
1. Introduction and Scope
The Internet was originally designed to use a single, global 32-bit
IP address space to uniquely identify hosts on the network, allowing
applications on one host to address and initiate communications with
applications on any other host regardless of the respective host's
topological locations or administrative domains. For a variety of
pragmatic reasons, however, the Internet has gradually drifted away
from strict conformance to this ideal of a single flat global address
space, and towards a hierarchy of smaller "private" address spaces
[RFC1918] clustered around a large central "public" address space.
The most important pragmatic causes of this unintended evolution of
the Internet's architecture appear to be the following.
1. Depletion of the 32-bit IPv4 address space due to the exploding
total number of hosts on the Internet. Although IPv6 promises to
solve this problem, the uptake of IPv6 has in practice been slower
than expected.
2. Perceived Security and Privacy: Traditional NAT devices provide a
filtering function that permits session flows to cross the NAT in
just one direction, from private hosts to public network hosts.
This filtering function is widely perceived as a security benefit.
In addition, the NAT's translation of a host's original IP
addresses and port number in a private network into an unrelated,
external IP address and port number is perceived by some as a
privacy benefit.
3. Ease-of-Use: NAT vendors often combine the NAT function with a
DHCP server function in the same device, which creates a
compelling, effectively "plug-and-play" method of setting up small
Internet-attached personal networks that is often much easier in
practice for unsophisticated consumers than configuring an IP
subnet. The many popular and inexpensive consumer NAT devices on
the market are usually configured "out of the box" to obtain a
single "public" IP address from an ISP or "upstream" network via
DHCP ([DHCP]), and the NAT device in turn acts as both a DHCP
server and default router for any "downstream" hosts (and even
other NATs) that the user plugs into it. Consumer NATs in this
way effectively create and manage private home networks
automatically without requiring any knowledge of network protocols
or management on the part of the user. Auto-configuration of
private hosts makes NAT devices a compelling solution in this
common scenario.
[NAT-PROT] identifies various complications with application
protocols due to NAT devices. This document acts as an adjunct to
[NAT-PROT]. The scope of the document is restricted to the two
Srisuresh & Ford Informational [Page 3]
^L
RFC 5684 Complications from NAT Deployments February 2010
scenarios identified in sections 3 and 4, arising out of
unconventional NAT deployment and private address space overlap.
Even though the scenarios appear unconventional, they are not
uncommon to find. For each scenario, the document describes the
seeming anomalies and offers recommendations on how best to make the
topologies work.
Section 2 describes the terminology and conventions used in the
document. Section 3 describes the problem of private address space
overlap in a multi-level NAT topology, the anomalies with the
topology, and recommendations to address the anomalies. Section 4
describes the problem of private address space overlap with remote
access Virtual Private Network (VPN) connections, the anomalies with
the topology, and recommendations to address the anomalies. Section
5 describes the security considerations in these scenarios.
2. Terminology and Conventions Used
In this document, the IP addresses 192.0.2.1, 192.0.2.64,
192.0.2.128, and 192.0.2.254 are used as example public IP addresses
[RFC5735]. Although these addresses are all from the same /24
network, this is a limitation of the example addresses available in
[RFC5735]. In practice, these addresses would be on different
networks.
Readers are urged to refer to [NAT-TERM] for information on NAT
taxonomy and terminology. Unless prefixed with a NAT type or
explicitly stated otherwise, the term NAT, used throughout this
document, refers to Traditional NAT [NAT-TRAD]. Traditional NAT has
two variations, namely, Basic NAT and Network Address Port Translator
(NAPT). Of these, NAPT is by far the most commonly deployed NAT
device. NAPT allows multiple private hosts to share a single public
IP address simultaneously.
3. Multi-Level NAT Network Topologies
Due to the pragmatic considerations discussed in the previous section
and perhaps others, NATs are increasingly, and often unintentionally,
used to create hierarchically interconnected clusters of private
networks as illustrated in figure 1 below. The creation of multi-
level hierarchies is often unintentional, since each level of NAT is
typically deployed by a separate administrative entity such as an
ISP, a corporation, or a home user.
Srisuresh & Ford Informational [Page 4]
^L
RFC 5684 Complications from NAT Deployments February 2010
Public Internet
(Public IP Addresses)
----+---------------+---------------+---------------+----
| | | |
| | | |
192.0.2.1 192.0.2.64 192.0.2.128 192.0.2.254
+-------+ Host A Host B +-------------+
| NAT-1 | (Alice) (Jim) | NAT-2 |
| (Bob) | | (CheapoISP) |
+-------+ +-------------+
10.1.1.1 10.1.1.1
| |
| |
Private Network 1 Private Network 2
(Private IP Addresses) (Private IP Addresses)
----+--------+---- ----+-----------------------+----
| | | | |
| | | | |
10.1.1.10 10.1.1.11 10.1.1.10 10.1.1.11 10.1.1.12
Host C Host D +-------+ Host E +-------+
| NAT-3 | (Mary) | NAT-4 |
| (Ann) | | (Lex) |
+-------+ +-------+
10.1.1.1 10.1.1.1
| |
| |
Private Network 3 | Private Network 4
(Private IP Addresses)| (Private IP Addresses)
----+-----------+---+ ----+-----------+----
| | | |
| | | |
10.1.1.10 10.1.1.11 10.1.1.10 10.1.1.11
Host F Host G Host H Host I
Figure 1. Multi-Level NAT Topology with Overlapping Address Space
In the above scenario, Bob, Alice, Jim, and CheapoISP have each
obtained a "genuine", globally routable IP address from an upstream
service provider. Alice and Jim have chosen to attach only a single
machine at each of these public IP addresses, preserving the
originally intended architecture of the Internet and making their
hosts, A and B, globally addressable throughout the Internet. Bob,
in contrast, has purchased and attached a typical consumer NAT box.
Bob's NAT obtains its external IP address (192.0.2.1) from Bob's ISP
via DHCP, and automatically creates a private 10.1.1.x network for
Bob's hosts C and D, acting as the DHCP server and default router for
this private network. Bob probably does not even know anything about
IP addresses; he merely knows that plugging the NAT into the Internet
Srisuresh & Ford Informational [Page 5]
^L
RFC 5684 Complications from NAT Deployments February 2010
as instructed by the ISP, and then plugging his hosts into the NAT as
the NAT's manual indicates, seems to work and gives all of his hosts
access to Internet.
CheapoISP, an inexpensive service provider, has allocated only one or
a few globally routable IP addresses, and uses NAT to share these
public IP addresses among its many customers. Such an arrangement is
becoming increasingly common, especially in rapidly developing
countries where the exploding number of Internet-attached hosts
greatly outstrips the ability of ISPs to obtain globally unique IP
addresses for them. CheapoISP has chosen the popular 10.1.1.x
address for its private network, since this is one of the three well-
known private IP address blocks allocated in [RFC1918] specifically
for this purpose.
Of the three incentives listed in section 1 for NAT deployment, the
last two still apply even to customers of ISPs that use NAT,
resulting in multi-level NAT topologies as illustrated in the right
side of the above diagram. Even three-level NAT topologies are known
to exist. CheapoISP's customers Ann, Mary, and Lex have each
obtained a single IP address on CheapoISP's network (Private Network
2), via DHCP. Mary attaches only a single host at this point, but
Ann and Lex each independently purchase and deploy consumer NATs in
the same way that Bob did above. As it turns out, these consumer
NATs also happen to use 10.1.1.x addresses for the private networks
they create, since these are the configuration defaults hard-coded
into the NATs by their vendors. Ann and Lex probably know nothing
about IP addresses, and in particular they are probably unaware that
the IP address spaces of their own private networks overlap not only
with each other but also with the private IP address space used by
their immediately upstream network.
Nevertheless, despite this direct overlap, all of the "multi-level
NATed hosts" -- F, G, H, and I in this case -- all nominally function
and are able to initiate connections to any public server on the
public Internet that has a globally routable IP address. Connections
made from these hosts to the main Internet are merely translated
twice: once by the consumer NAT (NAT-3 or NAT-44) into the IP address
space of CheapoISP's Private Network 2 and then again by CheapoISP's
NAT-2 into the public Internet's global IP address space.
3.1. Operational Details of the Multi-Level NAT Network
In the "de facto" Internet address architecture that has resulted
from the above pragmatic and economic incentives, only the nodes on
the public Internet have globally unique IP addresses assigned by the
official IP address registries. IP addresses on different private
networks are typically managed independently -- either manually by
Srisuresh & Ford Informational [Page 6]
^L
RFC 5684 Complications from NAT Deployments February 2010
the administrator of the private network itself, or automatically by
the NAT through which the private network is connected to its
"upstream" service provider.
By convention, nodes on private networks are usually assigned IP
addresses in one of the private address space ranges specifically
allocated to this purpose in RFC 1918, ensuring that private IP
addresses are easily distinguishable and do not conflict with the
public IP addresses officially assigned to globally routable Internet
hosts. However, when plug-and-play NATs are used to create
hierarchically interconnected clusters of private networks, a given
private IP address can be and often is reused across many different
private networks. In figure 1 above, for example, private networks
1, 2, 3, and 4 all have a node with IP address 10.1.1.10.
3.1.1. Client/Server Communication
When a host on a private network initiates a client/server-style
communication session with a server on the public Internet, via the
server's public IP address, the NAT intercepts the packets comprising
that session (usually as a consequence of being the default router
for the private network), and modifies the packets' IP and TCP/UDP
headers so as to make the session appear externally as if it were
initiated by the NAT itself.
For example, if host C above initiates a connection to host A at IP
address 192.0.2.64, NAT-1 modifies the packets comprising the session
so as to appear on the public Internet as if the session originated
from NAT-1. Similarly, if host F on private network 3 initiates a
connection to host A, NAT-3 modifies the outgoing packet so the
packet appears on private network 2 as if it had originated from
NAT-3 at IP address 10.1.1.10. When the modified packet traverses
NAT-2 on private network 2, NAT-2 further modifies the outgoing
packet so as to appear on the public Internet as if it had originated
from NAT-2 at public IP address 192.0.2.254. The NATs in effect
serve as proxies that give their private "downstream" client nodes a
temporary presence on "upstream" networks to support individual
communication sessions.
In summary, all hosts on the private networks 1, 2, 3, and 4 in
figure 1 above are able to establish a client/server-style
communication sessions with servers on the public Internet.
3.1.2. Peer-to-Peer Communication
While this network organization functions in practice for
client/server-style communication, when the client is behind one or
more levels of NAT and the server is on the public Internet, the lack
Srisuresh & Ford Informational [Page 7]
^L
RFC 5684 Complications from NAT Deployments February 2010
of globally routable addresses for hosts on private networks makes
direct peer-to-peer communication between those hosts difficult. For
example, two private hosts F and H on the network shown above might
"meet" and learn of each other through a well-known server on the
public Internet, such as host A, and desire to establish direct
communication between G and H without requiring A to forward each
packet. If G and H merely learn each other's (private) IP addresses
from a registry kept by A, their attempts to connect to each other
will fail because G and H reside on different private networks.
Worse, if their connection attempts are not properly authenticated,
they may appear to succeed but end up talking to the wrong host. For
example, G may end up talking to host F, the host on private network
3 that happens to have the same private IP address as host H. Host H
might similarly end up unintentionally connecting to host I.
In summary, peer-to-peer communication between hosts on disjoint
private networks 1, 2, 3, and 4 in figure 1 above is a challenge
without the assistance of a well-known server on the public Internet.
However, with assistance from a node in the public Internet, all
hosts on the private networks 1, 2, 3, and 4 in figure 1 above are
able to establish a peer-to-peer-style communication session amongst
themselves as well as with hosts on the public Internet.
3.2. Anomalies of the Multi-Level NAT Network
Even though conventional wisdom would suggest that the network
described above is seriously broken, in practice it still works in
many ways. We break up figure 1 into two sub-figures to better
illustrate the anomalies. Figure 1.1 is the left half of figure 1
and reflects the conventional single NAT deployment that is widely
prevalent in many last-mile locations. The deployment in figure 1.1
is popularly viewed as a pragmatic solution to work around the
depletion of IPv4 address space and is not considered broken. Figure
1.2 is the right half of figure-1 and is representative of the
anomalies we are about to discuss.
Srisuresh & Ford Informational [Page 8]
^L
RFC 5684 Complications from NAT Deployments February 2010
Public Internet
(Public IP Addresses)
----+---------------+---------------+-----------
| | |
| | |
192.0.2.1 192.0.2.64 192.0.2.128
+-------+ Host A Host B
| NAT-1 | (Alice) (Jim)
| (Bob) |
+-------+
10.1.1.1
|
|
Private Network 1
(Private IP Addresses)
----+--------+----
| |
| |
10.1.1.10 10.1.1.11
Host C Host D
Figure 1.1. Conventional Single-level NAT Network topology
Srisuresh & Ford Informational [Page 9]
^L
RFC 5684 Complications from NAT Deployments February 2010
Public Internet
(Public IP Addresses)
---+---------------+---------------+----
| | |
| | |
192.0.2.64 192.0.2.128 192.0.2.254
Host A Host B +-------------+
(Alice) (Jim) | NAT-2 |
| (CheapoISP) |
+-------------+
10.1.1.1
|
|
Private Network 2
(Private IP Addresses)
----+---------------+-------------+--+-------
| | |
| | |
10.1.1.10 10.1.1.11 10.1.1.12
+-------+ Host E +-------+
| NAT-3 | (Mary) | NAT-4 |
| (Ann) | | (Lex) |
+-------+ +-------+
10.1.1.1 10.1.1.1
| |
| |
Private Network 3 Private Network 4
(Private IP Addresses) (Private IP Addresses)
----+-----------+------ ----+-----------+----
| | | |
| | | |
10.1.1.10 10.1.1.11 10.1.1.10 10.1.1.11
Host F Host G Host H Host I
Figure 1.2. Unconventional Multi-Level NAT Network Topology
3.2.1. Plug-and-Play NAT Devices
Consumer NAT devices are predominantly plug-and-play NAT devices, and
assume minimal user intervention during device setup. The plug-and-
play NAT devices provide DHCP service on one interface and NAT
function on another interface. Vendors of the consumer NAT devices
make assumptions about how their consumers configure and hook up
their PCs to the device. When consumers do not adhere to the vendor
assumptions, the consumers can end up with a broken network.
Srisuresh & Ford Informational [Page 10]
^L
RFC 5684 Complications from NAT Deployments February 2010
A plug-and-play NAT device provides DHCP service on the LAN attached
to the private interface, and assumes that all private hosts at the
consumer site have DHCP client enabled and are connected to the
single LAN. Consumers need to be aware that all private hosts must
be on a single LAN, with no router in between.
A plug-and-play NAT device also assumes that there is no other NAT
device or DHCP server device on the same LAN at the customer
premises. When there are multiple plug-and-play NAT devices on the
same LAN, each NAT device will offer DHCP service on the same LAN,
and may even be from the same private address pool. This could
result in multiple end nodes on the same LAN ending up with identical
IP addresses and breaking network connectivity.
As it turns out, most consumer deployments have a single LAN where
there they deploy a plug-and-play NAT device and the concerns raised
above have not been an issue in reality.
3.2.2. Unconventional Addressing on NAT Devices
Let us consider the unconventional addressing with NAT-3 and NAT-4.
NAT-3 and NAT-4 are apparently multi-homed on the same subnet through
both their interfaces. NAT-3 is on subnet 10.1.1/24 through its
external interface facing NAT-2, as well as through its private
interface facing clients host F and host G. Likewise, NAT-4 also has
two interfaces on the same subnet 10.1.1/24.
In a traditional network, when a node has multiple interfaces with IP
addresses on the same subnet, it is natural to assume that all
interfaces with addresses on the same subnet must be on a single
connected LAN (bridged LAN or a single physical LAN). Clearly, that
is not the case here. Even though both NAT-3 and NAT-4 have two
interfaces on the same subnet 10.1.1/24, the NAT devices view the two
interfaces as being on two disjoint subnets and routing realms. The
plug-and-play NAT devices are really not multi-homed on the same
subnet as in a traditional sense.
In a traditional network, both NAT-3 and NAT-4 in figure 1.2 should
be incapable of communicating reliably as a transport endpoint with
other nodes on their adjacent networks (e.g., private networks 2 and
3 in the case of NAT-3 and private Networks 2 and 4 in the case of
NAT-4). This is because applications on either of the NAT devices
cannot know to differentiate packets from hosts on either of the
subnets bearing the same IP address. If NAT-3 attempts to resolve
the IP address of a neighboring host in the conventional manner by
broadcasting an Address Resolution Protocol (ARP) request on all of
its physical interfaces bearing the same subnet, it may get a
different response on each of its physical interfaces.
Srisuresh & Ford Informational [Page 11]
^L
RFC 5684 Complications from NAT Deployments February 2010
Even though both NAT-3 and NAT-4 have hosts bearing the same IP
address on the adjacent networks, the NAT devices do communicate
effectively as endpoints. Many of the plug-and-play NAT devices
offer a limited number of services on them. For example, many of the
NAT devices respond to pings from hosts on either of the interfaces.
Even though a NAT device is often not actively managed, many of the
NAT devices are equipped to be managed from the private interface.
This unconventional communication with NAT devices is achievable
because many of the NAT devices conform to REQ-7 of [BEH-UDP] and
view the two interfaces as being on two disjoint routing domains and
distinguish between sessions initiated from hosts on either interface
(private or public).
3.2.3. Multi-Level NAT Translations
Use of a single NAT to connect private hosts to the public Internet
as in figure 1.1 is a fairly common practice. Many consumer NATs are
deployed this way. However, use of multi-level NAT translations as
in figure 1.2 is not a common practice and is not well understood.
Let us consider the conventional single NAT translation in figure
1.1. Because the public and private IP address ranges are
numerically disjoint, nodes on private networks can make use of both
public and private IP addresses when initiating network communication
sessions. Nodes on a private network can use private IP addresses to
refer to other nodes on the same private network, and public IP
addresses to refer to nodes on the public Internet. For example,
host C in figure 1.1 is on private network 1 and can directly address
hosts A, B, and D using their assigned IP addresses. This is in
spite of the fact that hosts A and B are on the public Internet and
host D alone is on the private network.
Next, let us consider the unconventional multi-level NAT topology in
figure 1.2. In this scenario, private hosts are able to connect to
hosts on the public Internet. But, private hosts are not able to
connect with all other private hosts. For example, host F in figure
1.2 can directly address hosts A, B, and G using their assigned IP
addresses, but F has no way to address any of the other hosts in the
diagram. Host F in particular cannot address host E by its assigned
IP address, even though host E is located on the immediately
"upstream" private network through which F is connected to the
Internet. Host E has the same IP address as host G. Yet, this
addressing is "legitimate" in the NAT world because the two hosts are
on different private networks.
It would seem that the topology in figure 1.2 with multiple NAT
translations is broken because private hosts are not able to address
each other directly. However, the network is not broken. Nodes on
Srisuresh & Ford Informational [Page 12]
^L
RFC 5684 Complications from NAT Deployments February 2010
any private network have no direct method of addressing nodes on
other private networks. The private networks 1, 2, 3, and 4 are all
disjoint. Hosts on private network 1 are unable to directly address
nodes on private networks 2, 3, or 4 and vice versa. Multiple NAT
translations were not the cause of this.
As described in sections 3.1.1 and 3.1.2, client-server and peer-to-
peer communication can and should be possible even with multi-level
NAT topology deployment. A host on any private network must be able
to communicate with any other host, no matter to which private
network the host is attached or where the private network is located.
Host F should be able to communicate with host E and carry out both
client-server communication and peer-to-peer communication, and vice
versa. Host F and host E form a hairpin session through NAT-2 to
communicate with each other. Each host uses the public endpoint
assigned by the Internet-facing NAT (NAT-2) to address its peer.
When the deployed NAT devices conform to the hairpin translation
requirements in [BEH-UDP], [BEH-TCP], and [BEH-ICMP], peer nodes are
able to connect even in this type of multi-level NAT topologies.
3.2.4. Mistaken End Host Identity
Mistaken end host identity can result in accidental malfunction in
some cases of multi-level NAT deployments. Consider the scenario in
figure 1.3. Figure 1.3 depicts two levels of NATs between an end-
user in private network 3 and the public Internet.
Suppose CheapoISP assigns 10.1.1.11 to its DNS resolver, which it
advertises through DHCP to NAT-3, the gateway for Ann's home. NAT-3
in turn advertises 10.1.1.11 as the DNS resolver to host F
(10.1.1.10) and host G (10.1.1.11) on private network 3. However,
when host F sends a DNS query to 10.1.1.11, it will be delivered
locally to host G on private network 3 rather than CheapoISP's DNS
resolver. This is clearly a case of mistaken identity due to
CheapoISP advertising a server that could potentially overlap with
its customers' IP addresses.
Srisuresh & Ford Informational [Page 13]
^L
RFC 5684 Complications from NAT Deployments February 2010
Public Internet
(Public IP Addresses)
---+---------------+---------------+----
| | |
| | |
192.0.2.64 192.0.2.128 192.0.2.254
Host A Host B +-------------+
(Alice) (Jim) | NAT-2 |
| (CheapoISP) |
+-------------+
10.1.1.1
|
|
Private Network 2
(Private IP Addresses)
------------+------------------+-------+----------
| |
10.1.1.10 |
+-------+ 10.1.1.11
| NAT-3 | Host E
| (Ann) | (DNS Resolver)
+-------+
10.1.1.1
| Private Network 3
| (Private IP Addresses)
----+---+-----------+----------------
| |
| |
10.1.1.10 10.1.1.11
Host F Host G
Figure 1.3. Mistaken Server Identity in Multi-Level NAT Topology
Recommendation-1: ISPs, using NAT devices to provide connectivity to
customers, should assign non-overlapping addresses to servers
advertised to customers. One way to do this would be to assign
global addresses to advertised servers.
4. Remote Access VPN Network Topologies
Enterprises use remote access VPN to allow secure access to employees
working outside the enterprise premises. While outside the
enterprise premises, an employee may be located in his/her home
office, hotel, conference, or a partner's office. In all cases, it
is desirable for the employee at the remote site to have unhindered
access to his/her corporate network and the applications running on
Srisuresh & Ford Informational [Page 14]
^L
RFC 5684 Complications from NAT Deployments February 2010
the corporate network. While doing so, the employee should not
jeopardize the integrity and confidentiality of the corporate network
and the applications running on the network.
IPsec, Layer 2 Tunneling Protocol (L2TP), and Secure Socket Layer
(SSL) are some of the well-known secure VPN technologies used by the
remote access vendors. Besides authenticating employees for granting
access, remote access VPN servers often enforce different forms of
security (e.g., IPsec, SSL) to protect the integrity and
confidentiality of the run-time traffic between the VPN client and
the VPN server.
Many enterprises deploy their internal networks using private address
space as defined in RFC 1918 and use NAT devices to connect to the
public Internet. Further, many of the applications in the corporate
network refer to information (such as URLs) and services using
private addresses in the corporate network. Applications such as the
Network File Systems (NFS) rely on simple source-IP-address-based
filtering to restrict access to corporate users. These are some
reasons why the remote access VPN servers are configured with a block
of IP addresses from the corporate private network to assign to
remote access clients. VPN clients use the virtual IP (VIP) address
assigned to them (by the corporate VPN server) to access applications
inside the corporate network.
Consider the remote access VPN scenario in figure 2 below.
Srisuresh & Ford Informational [Page 15]
^L
RFC 5684 Complications from NAT Deployments February 2010
(Corporate Private Network 10.0.0.0/8)
---------------+----------------------
|
10.1.1.10
+---------+-------+
| Enterprise Site |
| Remote Access |
| VPN Server |
+--------+--------+
192.0.2.1
|
{---------+------}
{ }
{ }
{ Public Internet }
{ (Public IP Addresses) }
{ }
{ }
{---------+------}
|
192.0.2.254
+--------+--------+
| Remote Site |
| Plug-and-Play |
| NAT Router |
+--------+--------+
10.1.1.1
|
Remote Site Private Network |
-----+-----------+-----------+-------------+-----------
| | | |
10.1.1.10 10.1.1.11 10.1.1.12 10.1.1.13
Host A Host B +--------+ Host C
| VPN |
| Client |
| on a PC|
+--------+
Figure 2. Remote Access VPN with Overlapping Address Space
In the above scenario, say an employee of the corporation is at a
remote location and attempts to access the corporate network using
the VPN client, the corporate network is laid out using the address
pool of 10.0.0.0/8 as defined in RFC 1918, and the VPN server is
configured with an address block of 10.1.1.0/24 to assign virtual IP
addresses to remote access VPN clients. Now, say the employee at the
remote site is attached to a network on the remote site that also
happens to be using a network based on the RFC 1918 address space and
Srisuresh & Ford Informational [Page 16]
^L
RFC 5684 Complications from NAT Deployments February 2010
coincidentally overlaps the corporate network. In this scenario, it
is conventionally problematic for the VPN client to connect to the
server(s) and other hosts at the enterprise.
Nevertheless, despite the direct address overlap, the remote access
VPN connection between the VPN client at the remote site and the VPN
server at the enterprise should remain connected and should be made
to work. That is, the NAT device at the remote site should not
obstruct the VPN connection traversing it. Additionally, the remote
user should be able to connect to any host at the enterprise through
the VPN from the remote desktop.
The following subsections describe the operational details of the
VPN, anomalies with the address overlap, and recommendations on how
best to address the situation.
4.1. Operational Details of Remote Access VPN Network
As mentioned earlier, in the "de facto" Internet address
architecture, only the nodes on the public Internet have globally
unique IP addresses assigned by the official IP address registries.
Many of the networks in the edges use private IP addresses from RFC
1918 and use NAT devices to connect their private networks to the
public Internet. Many enterprises adapted the approach of using
private IP addresses internally. Employees within the enterprise's
intranet private network are "trusted" and may connect to any of the
internal hosts with minimal administrative or policy enforcement
overhead. When an employee leaves the enterprise premises, remote
access VPN provides the same level of intranet connectivity to the
remote user.
The objective of this section is to provide an overview of the
operational details of a remote access VPN application so the reader
has an appreciation for the problem of remote address space overlap.
This is not a tutorial or specification of remote access VPN
products, per se.
When an employee at a remote site launches his/her remote access VPN
client, the VPN server at the corporate premises demands that the VPN
client authenticate itself. When the authentication succeeds, the
VPN server assigns a Virtual IP (VIP) address to the client for
connecting with the corporate intranet. From this point onwards,
while the VPN is active, outgoing IP packets directed to the hosts in
the corporate intranet are tunneled through the VPN, in that the VPN
server serves as the next-hop and the VPN connection as the next-hop
link for these packets. Within the corporate intranet, the
Srisuresh & Ford Informational [Page 17]
^L
RFC 5684 Complications from NAT Deployments February 2010
outbound IP packets appear as arriving from the VIP address. So, IP
packets from the corporate hosts to the remote user are sent to the
remote user's VIP address and the IP packets are tunneled inbound to
the remote user's PC through the VPN tunnel.
This works well so long as the subnets in the corporate network do
not conflict with subnets at the remote site where the remote user's
PC is located. However, when the corporate network is built using
RFC 1918 private address space and the remote location where the VPN
client is launched is also using an overlapping network from RFC 1918
address space, there can be addressing conflicts. The remote user's
PC will have a conflict in accessing nodes on the corporate site and
nodes at the remote site bearing the same IP address simultaneously.
Consequently, the VPN client may be unable to have full access to the
employee's corporate network and the local network at the remote site
simultaneously.
In spite of address overlap, remote access VPN clients should be able
to successfully establish connections with intranet hosts in the
enterprise.
4.2. Anomalies of the Remote Access VPNs
Even though conventional wisdom would suggest that the remote access
VPN scenario with overlapping address space would be seriously
broken, in practice it still works in many ways. Let us look at some
anomalies where there might be a problem and identify solutions
through which the remote access VPN application could be made to work
even under the problem situations.
4.2.1. Remote Router and DHCP Server Address Conflict
Routing and DHCP service are bootstrap services essential for a
remote host to establish a VPN connection. Without DHCP lease, the
remote host cannot communicate over the IP network. Without a router
to connect to the Internet, the remote host is unable to access past
the local subnet to connect to the VPN server at the enterprise. It
is essential that neither of these bootstrap services be tampered
with at the remote host in order for the VPN connection to stay
operational. Typically, a plug-and-play NAT device at the remote
site provides both routing and DHCP services from the same IP
address.
When there is address overlap between hosts at the corporate intranet
and hosts at the remote site, the remote VPN user is often unaware of
the address conflict. Address overlap could potentially cause the
remote user to lose connectivity to the enterprise entirely or lose
connectivity to an arbitrary block of hosts at the enterprise.
Srisuresh & Ford Informational [Page 18]
^L
RFC 5684 Complications from NAT Deployments February 2010
Consider, for example, a scenario where the IP address of the DHCP
server at the remote site matched the IP address of a host at the
enterprise network. When the remote user's PC is ready to renew the
lease of the locally assigned IP address, the remote user's VPN
client would incorrectly identify the IP packet as being addressed to
an enterprise host and tunnel the DHCP renewal packet over the VPN to
the remote VPN server. The DHCP renewal requests simply do not reach
the DHCP server at the remote site. As a result, the remote PC would
eventually lose the lease on the IP address and the VPN connection to
the enterprise would be broken.
Consider another scenario where the IP address of the remote user's
router overlapped with the IP address of a host in the enterprise
network. If the remote user's PC were to send a ping or some type of
periodic keep-alive packets to the router (say, to test the liveness
of the router), the packets would be intercepted by the VPN client
and simply redirected to the VPN tunnel. This type of unintended
redirection has the twin effect of hijacking critical packets
addressed to the router as well as the host in the enterprise network
(bearing the same IP address as the remote router) being bombarded
with unintended keep-alive packets. Loss of connectivity to the
router can result in the VPN connection being broken.
Clearly, it is not desirable to route traffic directed to the local
router or DHCP server to be redirected to the corporate intranet. A
VPN client on a remote PC should be configured such that IP packets
whose target IP address matches any of the following are disallowed
to be redirected over the VPN:
a) IP address of the VPN client's next-hop router, used to access the
VPN server.
b) IP address of the DHCP server, providing address lease on the
remote host network interface.
Recommendation-2: A VPN client on a remote PC should be configured
such that IP packets whose target IP address matches *any* of (a) or
(b) are disallowed to be redirected over the VPN:
a) IP address of the VPN client's next-hop router, used to access the
VPN server.
b) IP address of the DHCP server, providing address lease on the
remote host network interface.
Srisuresh & Ford Informational [Page 19]
^L
RFC 5684 Complications from NAT Deployments February 2010
4.2.2. Simultaneous Connectivity Conflict
Ideally speaking, it is not desirable for the corporate intranet to
conflict with any of the hosts at the remote site. As a general
practice, if simultaneous communication with end hosts at the remote
location is important, it is advisable to disallow access to any
corporate network resource that overlaps the client's subnet at the
remote site. By doing this, the remote user is able to connect to
all local hosts simultaneously while the VPN connection is active.
Some VPN clients allow the remote PC to access the corporate network
over VPN and all other subnets directly without routing through the
VPN. Such a configuration is termed as "Split VPN" configuration.
"Split VPN" configuration allows the remote user to run applications
requiring communication with hosts at the remote site or the public
Internet, as well as hosts at the corporate intranet, unless there is
address overlap with the remote subnet. Applications needing access
to the hosts at the remote site or the public Internet do not
traverse the VPN, and hence are likely to have better performance
when compared to traversing the VPN. This can be quite valuable for
latency-sensitive applications such as Voice over IP (VoIP) and
interactive gaming. If there is no overriding security concern to
directly accessing hosts at the remote site or the public Internet,
the VPN client on remote PC should be configured in "Split VPN" mode.
If simultaneous connectivity to hosts at the remote site is not
important, the VPN client may be configured to direct all
communication traffic from the remote user to the VPN. Such a
configuration is termed as "Non-Split VPN" configuration. "Non-Split
VPN" configuration ensures that all communication from the remote
user's PC traverses the VPN link and is routed through the VPN
server, with the exception of traffic directed to the router and DHCP
server at the remote site. No other communication takes place with
hosts at the remote site. Applications needing access to the public
Internet also traverse the VPN. If the goal is to maximize the
security and reliability of connectivity to the corporate network,
the VPN client on remote PC should be configured in "Non-Split VPN"
mode. "Non-Split VPN" configuration will minimize the likelihood of
access loss to corporate hosts.
Recommendation-3: A VPN client on a remote PC should be configured in
"Non-Split VPN" mode if the deployment goal is (a), or in "Split VPN"
mode if the deployment goal is (b):
a) If the goal is to maximize the security and reliability of
connectivity to the corporate network, the VPN client on the
remote PC should be configured in "Non-Split VPN" mode. "Non-
Split VPN" mode ensures that the VPN client directs all traffic
Srisuresh & Ford Informational [Page 20]
^L
RFC 5684 Complications from NAT Deployments February 2010
from the remote user to the VPN server (at the corporate site),
with the exception of traffic directed to the router and DHCP
server at the remote site.
b) If there is no overriding security concern to directly accessing
hosts at the remote site or the public Internet, the VPN client on
the remote PC should be configured in "Split VPN" mode. "Split
VPN" mode ensures that only the corporate traffic is directed over
the VPN. All other traffic does not have the overhead of
traversing the VPN.
4.2.3. VIP Address Conflict
When the VIP address assigned to the VPN client at the remote site is
in direct conflict with the IP address of the existing network
interface, the VPN client might be unable to establish the VPN
connection.
Consider a scenario where the VIP address assigned by the VPN server
directly matched the IP address of the networking interface at the
remote site. When the VPN client on the remote host attempts to set
the VIP address on a virtual adapter (specific to the remote access
application), the VIP address configuration will simply fail due to
conflict with the IP address of the existing network interface. The
configuration failure in turn can result in the remote access VPN
tunnel not being established.
Clearly, it is not advisable to have the VIP address overlap the IP
address of the remote user's existing network interface. As a
general rule, it is not advisable for the VIP address to overlap any
IP address in the remote user's local subnet, as the VPN client on
the remote PC might be forced to respond to ARP requests on the
remote site and the VPN client might not process the handling of ARP
requests gracefully.
Some VPN vendors offer provisions to detect conflict of VIP addresses
with remote site address space and switch between two or more address
pools with different subnets so the VIP address assigned is not in
conflict with the address space at remote site. Enterprises
deploying VPNs that support this type of vendor provisioning are
advised to configure the VPN server with a minimum of two distinct IP
address pools. However, this is not universally the case.
Alternately, enterprises may deploy two or more VPN servers with
different address pools. By doing so, a VPN client that detects
conflict of a VIP address with the subnet at the remote site will
have the ability to switch to an alternate VPN server that will not
conflict.
Srisuresh & Ford Informational [Page 21]
^L
RFC 5684 Complications from NAT Deployments February 2010
Recommendation-4: Enterprises deploying remote access VPN solutions
are advised to adapt a strategy of (a) or (b) to avoid VIP address
conflict with the subnet at the remote site.
a) If the VPN server being deployed has been provisioned to configure
two or more address pools, configure the VPN server with a minimum
of two distinct IP address pools.
b) Deploy two or more VPN servers with distinct IP address pools. By
doing so, a VPN client that detects conflicts of VIP addresses
with the subnet at the remote site will have the ability to switch
to an alternate VPN server that will not conflict.
4.2.4. Mistaken End Host Identity
When "Split VPN" is configured on the VPN client on a remote PC,
there can be a potential security threat due to mistaken identity.
Say, a certain service (e.g., SMTP mail service) is configured on
exactly the same IP address on both the corporate site and the remote
site. The user could unknowingly be using the service on the remote
site, thereby violating the integrity and confidentiality of the
contents relating to that application. Potentially, remote user mail
messages could be hijacked by the ISP's mail server.
Enterprises deploying remote access VPN servers should allocate
global IP addresses for the critical servers the remote VPN clients
typically need to access. By doing this, even if most of the private
corporate network uses RFC 1918 address space, this will ensure that
the remote VPN clients can always access the critical servers
regardless of the private address space used at the remote attachment
point. This is akin to Recommendation-1 provided in conjunction with
multi-level NAT deployments.
Recommendation-5: When "Split VPN" is configured on a VPN client of a
remote PC, enterprises deploying remote access VPN servers are
advised to assign global IP addresses for the critical servers the
remote VPN clients are likely to access.
5. Summary of Recommendations
NAT vendors are advised to refer to the BEHAVE protocol documents
([BEH-UDP], [BEH-TCP], and [BEH-ICMP]) for a comprehensive list of
conformance requirements for NAT devices.
Srisuresh & Ford Informational [Page 22]
^L
RFC 5684 Complications from NAT Deployments February 2010
The following is a summary of recommendations to support the
unconventional NAT topologies identified in this document. The
recommendations are deployment-specific and addressed to the
personnel responsible for the deployments. These personnel include
ISP administrators and enterprise IT administrators.
Recommendation-1: ISPs, using NAT devices to provide connectivity to
customers, should assign non-overlapping addresses to servers
advertised to customers. One way to do this would be to assign
global addresses to advertised servers.
Recommendation-2: A VPN client on a remote PC should be configured
such that IP packets whose target IP address matches *any* of (a) or
(b) are disallowed to be redirected over the VPN:
a) IP address of the VPN client's next-hop router, used to access the
VPN server.
b) IP address of the DHCP server, providing address lease on the
remote host network interface.
Recommendation-3: A VPN client on a remote PC should be configured in
"Non-Split VPN" mode if the deployment goal is (a), or in "Split VPN"
mode if the deployment goal is (b):
a) If the goal is to maximize the security and reliability of
connectivity to the corporate network, the VPN client on the
remote PC should be configured in "Non-Split VPN" mode. "Non-
Split VPN" mode ensures that the VPN client directs all traffic
from the remote user to the VPN server (at the corporate site),
with the exception of traffic directed to the router and DHCP
server at the remote site.
b) If there is no overriding security concern to directly accessing
hosts at the remote site or the public Internet, the VPN client on
the remote PC should be configured in "Split VPN" mode. "Split
VPN" mode ensures that only the corporate traffic is directed over
the VPN. All other traffic does not have the overhead of
traversing the VPN.
Recommendation-4: Enterprises deploying remote access VPN solutions
are advised to adapt a strategy of (a) or (b) to avoid VIP address
conflict with the subnet at the remote site.
a) If the VPN server being deployed has been provisioned to configure
two or more address pools, configure the VPN server with a minimum
of two distinct IP address pools.
Srisuresh & Ford Informational [Page 23]
^L
RFC 5684 Complications from NAT Deployments February 2010
b) Deploy two or more VPN servers with distinct IP address pools. By
doing so, a VPN client that detects conflicts of VIP addresses
with the subnet at the remote site will have the ability to switch
to an alternate VPN server that will not conflict.
Recommendation-5: When "Split VPN" is configured on a VPN client of a
remote PC, enterprises deploying remote access VPN servers are
advised to assign global IP addresses for the critical servers the
remote VPN clients are likely to access.
6. Security Considerations
This document does not inherently create new security issues.
Security issues known to DHCP servers and NAT devices are applicable,
but not within the scope of this document. Likewise, security issues
specific to remote access VPN devices are also applicable to the
remote access VPN topology, but not within the scope of this
document. The security issues reviewed here only those relevant to
the topologies described in sections 2 and 3, specifically as they
apply to private address space overlap in the topologies described.
Mistaken end host identity is a security concern present in both
topologies discussed. Mistaken end host identity, described in
sections 2.2.4 and 3.2.4 for each of the topologies reviewed,
essentially points the possibility of application services being
hijacked by the wrong application server (e.g., Mail server).
Security violation due to mistaken end host identity arises
principally due to critical servers being assigned RFC 1918 private
addresses. The recommendation suggested for both scenarios is to
assign globally unique public IP addresses for the critical servers.
It is also recommended in section 2.1.2 that applications adapt end-
to-end authentication and not depend on source IP address for
authentication. Doing this will thwart connection hijacking and
denial-of-service attacks.
7. Acknowledgements
The authors wish to thank Dan Wing for reviewing the document in
detail and making helpful suggestions in reorganizing the document
format. The authors also wish to thank Ralph Droms for helping with
rewording the text and Recommendation-1 in section 3.2.4 and Cullen
Jennings for helping with rewording the text and Recommendation-3 in
section 4.2.2.
Srisuresh & Ford Informational [Page 24]
^L
RFC 5684 Complications from NAT Deployments February 2010
8. References
8.1. Normative References
[BEH-ICMP] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
Behavioral Requirements for ICMP", BCP 148, RFC 5508,
April 2009.
[BEH-TCP] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and
P. Srisuresh, "NAT Behavioral Requirements for TCP", BCP
142, RFC 5382, October 2008.
[BEH-UDP] Audet, F., Ed., and C. Jennings, "Network Address
Translation (NAT) Behavioral Requirements for Unicast
UDP", BCP 127, RFC 4787, January 2007.
[NAT-TERM] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations", RFC
2663, August 1999.
[NAT-TRAD] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022, January
2001.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
and E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, February 1996.
8.2. Informative References
[DHCP] Droms, R., "Dynamic Host Configuration Protocol", RFC
2131, March 1997.
[NAT-PROT] Holdrege, M. and P. Srisuresh, "Protocol Complications
with the IP Network Address Translator", RFC 3027,
January 2001.
[RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses",
BCP 153, RFC 5735, January 2010.
Srisuresh & Ford Informational [Page 25]
^L
RFC 5684 Complications from NAT Deployments February 2010
Authors' Addresses
Pyda Srisuresh
EMC Corporation
1161 San Antonio Rd.
Mountain View, CA 94043
U.S.A.
Phone: +1 408 836 4773
EMail: srisuresh@yahoo.com
Bryan Ford
Department of Computer Science
Yale University
51 Prospect St.
New Haven, CT 06511
Phone: +1-203-432-1055
EMail: bryan.ford@yale.edu
Srisuresh & Ford Informational [Page 26]
^L
|
