IPSEC and NAT

If one is comfortable with IPsec tunnels that terminate at the NAT'd network's perimeter then NAT doesn't necessarily pose any problem. However, if one wants IPsec to terminate at the endpoint then Network Address Translation causes serious issues. As IPsec Authentication Headers require the IP addresses of both endpoints in the packets and NAT is modifying them there is simply no way to truly maintain the genuine session credentials through a NAT. There are, however, workarounds for this (IBM, n.d.) (Fratto, 2000) (Aboba & Dixon, 2004).

IPv6 solves some problems with NAT/IPsec incompatibility while creating others. While, as Sellers (2005) says, 'IPv6, coupled with the security features of IPsec, will allow the realization of secure end-to-end connectivity', his assertion that 'since IPsec is designed into the IPv6 protocol, the need for NAT is eliminated' doesn't really follow. It is the mostly the size of the v6 address space that obviates this need. However some NAT will probably remain for address hiding and legitimate spoofing for a while, and while he is correct that 'IPv6 NAT has a different meaning than in IPv4' that doesn't address the fact that IPv4 isn't going away anytime soon. And so the HA issue isn't really solved and v6's usage of NAT to interoperate with v4 could actually exacerbate difficulties for an interim.

IPv6 has been a slow deployment as of yet due to a myriad of issues. Some stakeholders fear any instability that might occur during the switch, others don't have the requisite administrative infrastructure, skills, or the confidence that they have them, and some even believe that the migration is unnecessary (Hatton et al, ). In order to accelerate the deployment of v6 we will need to address these issues individually and collectively. Perhaps fundamental to all of them, and therefore worthy of primary focus, is a lack of sense of urgency. I recall the consultant (over)utilization pattern around the Y2K 'problem' and hope that we can help non-technical management understand that doing the work soon can help avoid a crisis later.

Aboba, B. & Dixon, W. (2004) IPsec-Network Address Translation (NAT) Compatibility Requirements [Online]. Available from: http://www.ietf.org/rfc/rfc3715.txt (Accessed: 31 October, 2010)

Fratto, M. (2000) Why Can't IPsec and NAT Just Get Along? [Online]. Available from: http://www.networkcomputing.com/1123/1123ws22.html?ls=NCJS_1123bt (Accessed: 31 October, 2010)

Hatton, K.R., Chapman, S.W., Damon, D.S. & Shah, N.S. [Online]. Available from: https://drachma.colorado.edu/dspace/bitstream/123456789/136/1/Is+IPv6+in+trouble+-+an+analysis+of+IPv4+solutions+to+IPv6+features.PDF (Accessed: 31 October, 2010)

IBM (n.d.) NAT compatible IPsec [Online]. Available from: http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzaja/rzajaudpencap.htm (Accessed: 31 October, 2010)