rfc2766.Network Address Translation - Protocol Translation (NAT-PT)

IPv4到IPv6过渡技术过渡问题的出现随着Internet的不断发展，原有IPv4的许多不足逐渐暴露了出来，这里面最迫切需要解决的就是IP地址空间耗尽和骨干路由器中路由表过于庞大的问题。

这两个问题直接导致了IETF成立IPng工作组来制定新一代的IP协议，并在1995年底为它分配了版本号6，称为IPv6 ( 或 IPng ) 。

为了彻底解决目前IPv4遇到的问题并对未来的应用提供更好的支持，IPv6的设计者们最后决定将IPv6设计成一个新的协议，而不仅仅是IPv4的扩展。

尽管在设计IPv6的时候已经充分考虑了和IPv4的兼容性，但是它们不是完全兼容的。

可以预见，Internet由IPv4向IPv6过渡需要一个相当长的时间才能完成，在这段时间内这种不兼容性的影响将会很突出，IETF已经成立的专门的工作组NGTRANS来研究从IPv4向IPv6的过渡问题。

过渡机制概述我们面临的主要问题不是IPv6本身的问题，而是如何渐进的、无伤害的由基于IPv4的网络过渡到基于IPv6的网络，同时尽可能减少过渡的成本的问题，SIT ( Simple Internet Transition ) 阐述了过渡的要求。

由于过渡是渐进的，在过渡的初期，Internet将由运行IPv4的"海洋"和运行IPv6的"小岛"组成。

随着时间的推移，IPv4的海洋将会逐渐变小，而IPv6的小岛将会越来越多，最终完全取代IPv4。

在过渡的初期，要解决的主要是IPv6小岛之间的通信问题，随后是IPv6小岛和IPv4海洋之间通信的问题。

针对这两类问题已经提出了很多方案，有一些已经相当成熟并形成了RFC，有一些还只是草案。

解决过渡问题的成熟的基本技术主要有三种：1. 双协议栈 ( Dual Stack, RFC2893 )主机同时运行IPv4和IPv6两套协议栈，同时支持两套协议2. 隧道技术 ( Tunnel, RFC2893 )这种机制用来在IPv4网络之上连接IPv6的站点，站点可以是一台主机，也可以是多个主机。

IPv6/IPv4无感知接入与加速摘要本文提出了一种技术方案，不仅能够改善ipv4向ipv6过渡初期，ipv6网络资源使用率不足的问题，而且，在终端用户无感知、网络管理员部署维护方便的前提下，使终端用户得到更好的接入服务，提升终端用户的体验。

关键词 ipv4；ipv6；过渡；接入中图分类号tp393 文献标识码a 文章编号 1674-6708（2013）96-0219-021 背景随着以ipv4（internet portocol version 4）为基础的互联网的发展，用户快速增加，ipv4地址数已经分配殆尽。

ipv6（internet portocol version 6）作为业界公认的用以替代ipv4的技术，正在扩展其部署范围。

ipv6与ipv4相比，提供了更巨大的ip地址空间，以解决现有互联网地址短缺的问题。

ipv6采用了全新的编址方式，在设计上并不向下兼容ipv4，这种不兼容性使得升级到ipv6必须部署一张全新的网络，而不能在ipv4的基础上进行延伸和扩展。

ipv6部署初期，需要大量的投入，却没有与成本相匹配的收益，严重阻碍了ipv6的推广。

2 现状和问题在ipv4向ipv6过渡的初期，因特网服务提供商（internet service provider，isp）通常为用户提供ipv4和ipv6双栈接入。

一般的网络应用都是在客户机和服务器之间进行的，只有当终端用户、应用服务器以及连接它们的网络都支持ipv6时，才可能使用ipv6进行通信，否则仍只能使用ipv4进行通信。

目前，由于大多数终端操作系统和应用程序客户端不支持ipv6，即终端用户不支持ipv6，而且，用户内网原有的部分网络设备也不支持ipv6，所以大部分网络应用仍使用ipv4进行通信；另外，由于ipv6对比ipv4只是网络传输协议的升级，无法直接提升终端用户的体验，大部分终端用户不会主动寻求使用ipv6。

正是由于以上这些原因，一方面，即使isp提供了ipv6网络接入——外网支持ipv6，内容提供商（content provider，cp）支持使用ipv6访问——应用服务器支持ipv6，这些资源也将闲置或无法充分利用，造成了浪费。

一、机制概述RFC2766、RFC2765。

NAT-PT（网络地址转换-协议转换）是一种地址转换技术，它可以把IPv6地址转换成IPv4地址，反之亦然。

NAT-PT基于RFC2766中定义的无状态IP/ICMP转换器（SIIT）算法。

SIIT算法互译IPv4和IPv6数据包头部，也包括ICMP头部。

需要注意的是，在IPv6环境中，不建议像IPv4对待NAT的态度哪样，去使用NAT。

仅仅在V4单协议与V6单协议网络需要互相通信的时候，才建议使用NAT-PT。

我们看上面的例子，对于IPv6单协议网络而言，首先它有访问IPv6因特网的需求，因此默认的IPv6流量全部交给R1，另外，它可能还有访问IPv4因特网的需求，这时候，就需要借助R2这台NAT-PT设备。

2001:2::/96，这个长度为96位的前缀是我们为了NAT-PT操作预定义的前缀，可以自定义，但是长度必须是96bits。

在IPv6单协议网络中产生的、去往2001:2::/96这个目的地的流量被路由到R2也就是NAT-PT设备，然后数据包中的IPv6地址被转换为IPv4地址并传送给IPv4因特网中的IPv4单协议节点。

二、NAT-PT配置及原理2.1 静态NAT-PT1、静态NAT-PT（单向）A和B的配置都极其简单A的配置：interface FastEthernet0/0ipv6 enableipv6 address 2001:1::1/64ipv6 route ::/0 2001:1::FFFFB的配置如下：interface FastEthernet0/0ip address 202.101.100.2 255.255.255.0ip route 0.0.0.0 0.0.0.0 202.101.100.1R2的配置如下：ipv6 unicast-routing!interface FastEthernet0/0 !! 连接A的接口ipv6 enableipv6 address 2001:1::FFFF/64ipv6 nat!interface FastEthernet1/0ip address 202.101.100.1 255.255.255.0ipv6 nat!ipv6 nat prefix 2001:2::/96 !! 是一个为NAT-PT预留的池ipv6 nat v6v4 source 2001:1::1 202.101.100.100 !! 相当于将2001:1::1这个IPv6的节点，“告知”给IPv4单协议网络中的用户知道，可以以202.101.100.100的方式访问。

目前过渡问题成熟的技术方案基本分为三种：[1] 双协议栈( Dual Stack, RFC2893 )：主机同时运行IPv4和IPv6两套协议栈，同时支持两套协议[2] 隧道技术( Tunnel, RFC2893 )：这种机制用来在IPv4网络之上连接IPv6的站点，站点可以是一台主机，也可以是多个主机。

隧道技术将IPv6的分组封装到IPv4的分组中，封装后的IPv4分组将通过IPv4的路由体系传输，分组报头的"协议" 域设置为41，指示这个分组的负载是一个IPv6的分组，以便在适当的地方恢复出被封装的IPv6分组并传送给目的站点。

根据封装/解封装操作发生位置的不同，隧道可以分为四种：λ路由器到路由器( Router-to-Router )λ主机到路由器( Host-to-Router )λ主机到主机( Host-to-Host )λ路由器到主机( Router-to-Host )根据建立方式的不同，隧道又可以分成两类：λ (手工)配置的隧道( Configured Tunnel )λ自动配置的隧道( Auto-configured Tunnel )[3] 翻译技术，最具代表性的是NAT-PT ( Network Address Translation - Protocol Translation，RFC2766 )：利用转换网关来在IPv4和IPv6网络之间转换IP报头的地址，同时根据协议不同对分组做相应的语义翻译，从而使纯IPv4和纯IPv6站点之间能够透明通信。

需要指出的是，这些过渡机制都不是普遍适用的，每一种机制都适用于某种或几种特定的网络情况，而且常常需要和其它的技术组合使用。

在实际应用时需要综合考虑各种实际情况来制定合适的过渡策略。

过渡解决方案【方案简介】IPv6 虚拟接入解决方案是建立在虚拟网络（VPN）之上的隧道型IPv6过渡综合解决方案。

通过使用该方案，在满足IPv4用户的基本IPv6接入需求，提供高可靠的安全性保证；同时利用IPv6的便利性和平坦性，向用户提供更为方便的互联网应用。

第4章网络地址转换（NAT）⏹NAT概述随着网络的发展，公用IP地址的需求与日俱增。

为了缓解公用IP地址的不足，并且保护公司内部服务器的私网地址，可以使用NAT（Network Address Translation，网络地址转换）技术将私网地址转化成为公网地址，缓解IP地址的不足，并且隐藏内部服务器的私网地址。

⏹NAT的概述与现实方式1.NAT概念网络地址转换（NAT）通过将内部网络的私有IP地址翻译成全球唯一的公网IP地址，使内部网络可以连接到互联网等外部网络上，广泛应用于各种类型的互联网接入方式和各种类型的网络中。

原因很简单，NAT不仅解决了IP地址不足的问题，而且还能够隐藏内部网络的细节，避免来自网络外部的攻击，起到一定的安全作用。

借助于NAT，私有保留地址的内部网络通过路由器发送数据包时，私有地址被转换成合法的IP地址，这样一个局域网只需要少量地址（甚至是一个），即可实现使私有地址网络中的所有计算机与互联网的通信需求。

2.NAT的实现方式NAT的实现方式有以下三种：静态转换（Static Translation）动态转换（Dynamic Translation）端口多路复用（Port Address Translation，PAT）静态转换IP地址的对应关系是一对一且不变的，并没有节约公用IP地址，只是隐藏了主机的真实地址。

动态转换虽然在一定情况下节约了公用IP地址，但是当内部网络同时访问Internet的主机数大于合法地址池中的IP地址数时就不适用了。

端口多路复用可以使所有的内部网络主机共享一个合法的外部IP地址，从而最大限度的节约IP地址资源。

由于动态转换形成的IP地址的对应关系是不确定的、随机的；端口多路复用使用的是端口号的转换，也是不确定的，所以内网服务器不能使用这两种转换方式，这是由于外网用户无法确定服务器合法的公网IP地址，导致无法访问服务器。

这时使用静态转换将私有IP地址转换为固定的合法的IP地址，这样服务器有了固定的合法的公网IP地址，才能实现外网的访问。

IPv4向IPv6的过渡策略作者：张建立来源：《信息安全与技术》2013年第08期【摘要】本文简单介绍了IPv6协议，并阐述了在现阶段IPv4与IPv6共存的情况下，IPv4 向IPv6过渡的三种较为成熟的双协议栈技术、隧道技术和NAT-PT技术，最后概括了过渡策略的演进。

【关键词】 IPv6；双协议栈；NAT-PT1 前言近年来，互联网的迅猛发展导致了IP地址资源的紧张。

目前的IP协议版本IPv4已经暴露出其当初设计不足的地方，使得升级IP协议成为必然。

从20世纪90年代初以来，国际上已经开始讨论下一代的IP协议，IETF最终确定IPng协议为版本6，称为IPv6。

IPv6从1995年被IETF首次提出后，近年来在全球范围内受到普遍关注。

目前，IPv6协议的框架和各项技术已经逐步成熟，并在越来越广泛的范围内得到实践。

但是现行Internet上成千上万的主机、路由器等网络设备都运行着IPv4协议。

这就决定了IPv4的网络向IPv6演进将是一个浩大而且繁杂的工程，IPv4和IPv6网络将在很长时间内共存，如何从IPv4平滑地过渡到IPv6是一个非常复杂的问题。

2 IPv6协议概述2.1 IPv6的报头格式净荷长度。

长度为1 6位，其中包括包净荷的字节长度，即IPv6头后的包中包含的字节数。

这意味着在计算净荷长度时包含了IPv6扩展头的长度。

下一个头。

这个字段指出了IPv6头后所跟的头字段中的协议类型。

与IPv6协议字段类似，下一个头字段可以用来指出高层是TCP还是UDP，但它也可以用来指明IPv6扩展头的存在。

跳极限。

长度为8位。

每当一个节点对包进行一次转发之后，这个字段就会被减1。

如果该字段达到0，这个包就将被丢弃。

IPv4中有一个具有类似功能的生存期字段，但与IPv4不同，人们不愿意在IPv6中由协议定义一个关于包生存时间的上限。

这意味着对过期包进行超时判断的功能可以由高层协议完成。

源地址。

长度应为128位，指出了IPv6包的发送方地址。

1、NAT原理1.1、概述RFC1631、RFC3022以及相关RFC定义的NA T（Network Address Translator）是一种将IP地址从一个编址域映射到另一个编址域的方法，典型的应用是把RFC1918定义的私有IP 地址映射到Internet所使用的公有IP地址。

NA T与网络中其它计算设备的关系如图1.1。

虽然NA T技术已经得到广泛应用，但它是一把双刃剑，在带来节省IPv4地址空间等好处的同时，破坏了Internet最基本的“端到端的透明性”的设计理念，增加了网络的复杂性，阻碍了业务的创新。

IETF一直主张利用IPv6技术解决地址短缺问题，因此IETF虽然出版了几个与NA T相关的RFC，但对NA T技术（尤其是穿越问题）一直没有系统的标准工作，如SIP和Mobile IP就是NA T出现后设计的一些协议，都未考虑到NA T的穿越问题。

现在业界意识到Internet 在短期内不可能过渡到IPv6，IPv4和IPv6将长期共存，NA T以及NA T-PT（Network Address Translation - Protocol Translation）将继续得到长期应用，因此NA T相关问题开始引起IETF （Internet Engineering Task Force）和ITU-T（International Telecommunication Union）等相关国际标准化组织的关注。

中国通信标准化协会IP与多媒体工作委员会也正在积极参与ITU-T SG16组的相关活动，加紧制定中国多媒体业务NA T穿越标准[1]。

说明：ICD：Inner Computing Device，内部计算设备，内部主机，内网主机OCD：Outer Computing Device，外部计算设备，外部主机，外网主机ICD和OCD是相对而言的，OCD也可能在1个或多个NAT后面图1.1 NA T与计算设备的关系1.2、分类从功能上看，主要有以下几种典型的NA T（RFC2663），如图1.2）。

模块十一 NATInternet 技术的飞速进展，使愈来愈多的用户加入到互联网，因此IP 地址欠缺已成为一个十分突出的问题。

NAT(Network Address Translation，网络地址翻译)是解决 IP 地址欠缺的重要手腕。

第一讲 NAT 概述NAT 是一个 IETF 标准，许诺一个机构以一个地址出此刻 Internet上。

NAT 技术使得一个私有网络能够通过 Internet 注册 IP 连接到外部世界，位于 Inside 网络和 Outside 网络中的 NAT 路由器在发送数据包之前，负责把内部 IP 地址翻译成外部合法 IP 地址。

NAT 将每一个局域网节点的 IP 地址转换成一个合法 IP 地址，反之亦然。

它也能够应用到防火墙技术里，把个别 IP 地址隐藏起来不被外界发觉，对内部网络设备起到爱惜的作用，同时，它还帮忙网络能够超越地址的限制，合理地安排网络中的公有 Internet 地址和私有 IP 地址的利用。

NAT 有三种类型：静态 NAT、动态 NAT 和端口地址转换（PAT）。

1．静态 NAT静态 NAT 中，内部网络中的每一个主机都被永久映射成外部网络中的某个合法的地址。

静态地址转换将内部本地地址与内部合法地址进行一对一的转换，且需要指定和哪个合法地址进行转换。

若是内部网络有 E-mail 效劳器或 FTP 效劳器等能够为外部用户提供的效劳，这些效劳器的 IP 地址必需采纳静态地址转换，以便外部用户能够利用这些效劳。

2．动态 NAT动态 NAT 第一要概念合法地址池，然后采纳动态分派的方式映射到内部网络。

动态 NAT 是动态一对一的映射。

3．PATPAT 那么是把内部地址映射到外部网络的 IP 地址的不同端口上,从而能够实现多对一的映射。

PAT 关于节省 IP 地址是最为有效的。

第二讲实验 1：静态 NAT 配置1. 实验目的通过本实验能够把握（1）静态 NAT 的特点。

ＩＳＳＮ１００９－３０４４ＣｏｍｐｕｔｅｒＫｎｏｗｌｅｄｇｅＡｎｄＴｅｃｈｎｏｌｏｇｙ电脑知识与技术Ｖｏｌ．３，Ｎｏ．５，Ａｕｇｕｓｔ２００８，ｐｐ．８８３－８８４，８９４Ｅ－ｍａｉｌ：ｉｎｆｏ＠ｃｃｃｃ．ｎｅｔ．ｃｎｈｔｔｐ：／／ｗｗｗ．ｄｎｚｓ．ｎｅｔ．ｃｎＴｅｌ：＋８６－５５１－５６９０９６３５６９０９６４ＩＰｖ４／ＩＰｖ６转换网关的设计与实现韩银锋（西安航空职业技术学院，陕西西安７１００８９）摘要：详细介绍了ＩＰｖ４ＩＰｖ６转换网关的设计与实现过程；首先介绍转换网关的工作流程，其次介绍地址转换和协议转换设计，最后分析了ＤＮＳＡＬＧ设计。

关键词：ＩＰｖ６；ＩＰｖ４；转换网关中图分类号：ＴＰ３９３文献标识码：Ａ文章编号：１００９－３０４４（２００８）２３－８８３－０２ＤｅｓｉｇｎａｎｄＩｍｐｌｅｍｅｎｔａｔｉｏｎｏｆＩＰｖ４／ＩＰｖ６ＴｒａｎｓｌａｔｉｏｎＧａｔｅｗａｙＨＡＮＹｉｎ－ｆｅｎｇ（Ｘｉ＇ａｎＡｅｒｏｎａｕｔｉｃａｌＰｏｌｙｔｅｃｈｎｉｃＩｎｓｔｉｔｕｔｅ，Ｘｉ＇ａｎ７１００８９，Ｃｈｉｎａ）Ａｂｓｔｒａｃｔ：Ｉｎｔｈｉｓｔｈｅｓｉｓ，ａｔｒａｎｓｌａｔｉｏｎｇａｔｅｗａｙｉｓｉｎｔｒｏｄｕｃｅｄ，ｂｏｔｈｔｈｅｄｅｓｉｇｎａｎｄｉｍｐｌｅｍｅｎｔａｔｉｏｎ．Ｆｉｒｓｔ，ｔｈｅｆｌｏｗｏｆｔｒａｎｓｌａｔｉｏｎｇａｔｅｗａｙｉｓｉｎ－ｔｒｏｄｕｃｅｄ，ｓｅｃｏｎｄｌｙ，ａｄｄｒｅｓｓＴｒａｎｓｌａｔｉｏｎａｎｄｐｒｏｔｏｃｏｌＴｒａｎｓｌａｔｉｏｎＡｒｅｄｅｓｃｒｉｂｅｄ，Ｉｎｔｈｅｅｎｄｏｆｔｈｉｓｔｈｅｓｉｓ，ＤＮＳＡＬＧｉｓａｎａｌｙｚｅｄ．Ｋｅｙｗｏｒｄｓ：ＩＰｖ６；ＩＰｖ４；ＴｒａｎｓｌａｔｉｏｎＧａｔｅｗａｙ随着Ｉｎｔｅｒｎｅｔ的迅猛发展，现有的ＩＰ协议（ＩＰｖ４协议）在应用中出现了很多问题，如地址资源即将耗尽，不能适应新的网络应用以及对安全性无法保证等。

下一代Ｉｎｔｅｒｎｅｔ协议（ＩＰｖ６）不仅解决了ＩＰｖ４遇到的问题，而且还给ＩＰ带来了一些新特性，它取代ＩＰｖ４成为必然。

NAT基本知识及其配置、无线接入模块、广域网接入引入：通过讲述网络地址的用尽带来的影响，如何解决网络地址少的问题，将课堂引入到NAT 知识上来，描述IPV6的相关信息，提高学生的积极性。

新授：一、NAT基本知识网络地址转换(NAT,Network Address Translation)属接入广域网(WAN)技术，是一种将私有（保留）地址转化为合法IP地址的转换技术，它被广泛应用于各种类型Internet接入方式和各种类型的网络中。

原因很简单，NAT不仅完美地解决了lP地址不足的问题，而且还能够有效地避免来自网络外部的攻击，隐藏并保护网络内部的计算机。

概述：NAT（Network Address Translation，网络地址转换）是将IP 数据包头中的IP 地址转换为另一个IP 地址的过程。

在实际应用中，NAT 主要用于实现私有网络访问公共网络的功能。

这种通过使用少量的公有IP 地址代表较多的私有IP 地址的方式，将有助于减缓可用IP地址空间的枯竭。

说明：私有IP 地址是指内部网络或主机的IP 地址，公有IP 地址是指在因特网上全球唯一的IP 地址。

RFC 1918 为私有网络预留出了三个IP 地址块，如下：A 类：10.0.0.0～10.255.255.255B 类：172.16.0.0～172.31.255.255C 类：192.168.0.0～192.168.255.255上述三个范围内的地址不会在因特网上被分配，因此可以不必向ISP 或注册中心申请而在公司或企业内部自由使用。

实现方式：NAT的实现方式有三种，即静态转换Static Nat、动态转换Dynamic Nat和端口多路复用OverLoad。

静态转换是指将内部网络的私有IP地址转换为公有IP地址，IP地址对是一对一的，是一成不变的，某个私有IP地址只转换为某个公有IP地址。

借助于静态转换，可以实现外部网络对内部网络中某些特定设备（如服务器）的访问。

IP地址耗尽促成了CIDR的开发，但是CIDR开发的主要目的是为了有效的使用现有的INTERNET地址，而同时根据RFC1631(IP NETWORK ADDRESS TRANSLATOR)开发的NAT却可以在多重的INTERNET子网中使用相同的IP地址，用来减少注册IP地址的使用。

NAT的分为：静态NAT、动态NAT、端口NAT(PAT)。

静态NAT:内部网络中的每个主机都被永久的映射成外部网络中的某个合法地址；动态NAT：在外部网络中定义了一系列的合法地址，采用动态分配的方法映射到内部网络；PAT：是人们比较熟悉的一种转换方式。

PAT普遍应用于接入设备中，它可以将中小型的网络隐藏在一个合法的IP地址后面。

PAT与动态地址NAT不同，它将内部连接映射到外部网络中的一个单独的IP地址上，同时在该地址上加上一个由NAT设备选定的TCP端口号。

也就是采用port multiplexing 技术，或改变外出数据的源port的技术将多个内部ip地址映射到同一个外部地址。

网络地址转换 (NAT) 是一个 Internet 工程任务组 (Internet Engineering Task Force，IETF) 标准，用于允许专用网络上的多台 PC (使用专用地址段，例如 10.0.x.x、192.168.x.x、172.x.x.x) 共享单个、全局路由的 IPv4 地址。

IPv4 地址日益不足是经常部署 NAT 的一个主要原因。

Windows XP 和 Windows Me 中的“Internet 连接共享”及许多 Internet 网关设备都使用 NAT，尤其是在通过 DSL 或电缆调制解调器连接宽带网的情况下。

NAT 对于解决 IPv4 地址耗费问题 (在 IPv6 部署中却没必要) 尽管很有效，但毕竟属于临时性的解决方案。

这种 IPv4 地址占用问题在亚洲及世界其他一些地方已比较严重，且日渐成为北美地区需要关注的问题。

论IP地址的使用范围和保留地址IP地址是互联网中计算机用于通信和定位的重要标识。

它是由32位或128位的二进制数字组成，通常以四个十进制数表示，每个数值范围在0到255之间，用点分隔。

在互联网的运作中，IP地址的使用范围和保留地址扮演着至关重要的角色。

一、IP地址的使用范围1. 公有IP地址公有IP地址分配给互联网上的网络设备，以实现其与其他设备的通信。

公有IP地址需要经过互联网服务提供商（ISP）进行分配，因为其数量有限。

它们在全球范围内是唯一的，且不可更改。

2. 私有IP地址私有IP地址是专门用于内部网络的。

其范围定义在了Internet Engineering Task Force（IETF）的RFC 1918中。

私有IP地址在局域网（LAN）中使用，不会在公共互联网上被路由。

因此，私有IP地址一般只在特定网络中有效。

二、私有IP地址的保留范围1. 10.0.0.0 - 10.255.255.255IP地址以10开头的范围属于私有IP地址，可供大型企业或组织使用。

2. 172.16.0.0 - 172.31.255.255IP地址以172.16开头至172.31结尾的范围也属于私有IP地址，常用于中小型企业或组织。

3. 192.168.0.0 - 192.168.255.255IP地址以192.168开头的范围同样被保留为私有IP地址，广泛应用于家庭网络和小型办公环境中。

通过上述私有IP地址的保留范围，可以充分利用IP地址资源，并有效实现内部网络通信需求。

三、保留地址的作用1. 内部网络通信私有IP地址的保留范围提供了有限的IP资源，可以为内部网络的设备提供唯一的标识，以实现内部通信、网络管理和资源共享。

2. 网络安全利用私有IP地址，内部网络设备能够在公共互联网上隐藏起来，增强了网络的安全性。

私有IP地址无法直接从公网访问，因此有助于减少潜在的网络攻击和威胁。

3. NAT(Network Address Translation，网络地址转换)功能私有IP地址与公有IP地址之间可以通过网络地址转换实现连接，这种技术被广泛应用于家庭网络和企业网络中。

CISCO路由器配置手册返回教程第一章路由器配置基础一、基本设置方式二、命令状态三、设置对话过程四、常用命令五、配置IP寻址六、配置静态路由第二章广域网协议设置一、HDLC二、PPP三、X.25四、Frame Relay五、ISDN六、PSTN第三章路由协议设置一、RIP协议二、IGRP协议三、OSPF协议四、重新分配路由五、IPX协议设置第四章服务质量及访问控制一、协议优先级设置二、队列定制三、访问控制第五章虚拟局域网（VLAN）路由一、虚拟局域网(VLAN)二、交换机间链路（ISL）协议三、虚拟局域网（VLAN）路由实例参考第一章路由器配置基础一、基本设置方式一般来说，可以用5种方式来设置路由器：1．Console口接终端或运行终端仿真软件的微机；2．AUX口接MODEM，通过电话线与远方的终端或运行终端仿真软件的微机相连；3．通过Ethernet上的TFTP服务器；4．通过Ethernet上的TELNET程序；5．通过Ethernet上的SNMP网管工作站。

但路由器的第一次设置必须通过第一种方式进行,此时终端的硬件设置如下:波特率：9600数据位：8停止位：1奇偶校验: 无二、命令状态1.router>路由器处于用户命令状态，这时用户可以看路由器的连接状态，访问其它网络和主机，但不能看到和更改路由器的设置内容。

2.router#在router>提示符下键入enable,路由器进入特权命令状态router#，这时不但可以执行所有的用户命令，还可以看到和更改路由器的设置内容。

3.router(config)#在router#提示符下键入configure terminal,出现提示符router(config)#，此时路由器处于全局设置状态，这时可以设置路由器的全局参数。

4.router(config-if)#; router(config-line)#; router(config-router)#;…路由器处于局部设置状态，这时可以设置路由器某个局部的参数。

一、NAT简介：1.NAT（Network Address Translation）网络地址转换。

2.最早出现在思科11.2 IOS中，定义在RFC1631和RFC3022中。

3.NAT最主要的作用是为了缓解IPv4地址空间的不足。

4.同时也带来了一些问题，如每个数据包到达路由器后都要进行包头的转换操作，所以增加了延迟；DNS区域传送，BOOTP/DHCP等协议不可穿越NAT路由器；5.改动了源IP，失去了跟踪到端IP流量的能力，所以使责任不明确了。

6.但是利还是要大于弊的，不然也不会学习它了！最新的CCNA640-802学习指南中依然有专门的一章来讲解NAT，它的重要性可见一斑。

二、NAT术语：比较难理解，所以这里用最明了的语言总结如下1.内部本地地址（inside local address ）：局域网内部主机的地址，通常是RFC1918地址空间中的地址，称为私有地址。

（待转换的地址）2.内部全局地址（inside global address）：内部本地地址被NAT路由器转换后的地址，通常是一个可路由的公网地址。

3.外部全局地址（outside global address）：是与内部主机通信的目标主机的地址，通常是一个可路由的公网地址。

4.外部本地地址（outside local address）：是目标主机可路由的公网地址被转换之后的地址，通常是RFC1918地址空间中的地址。

三、NAT配置详解：1.静态NAT：将一个私有地址和一个公网地址一对一映射的配置方法，这种方式不能节省IP，通常只为需要向外网提供服务的内网服务器配置。

如图所示：PC1地址：192.168.0.2/24PC2地址：192.168.0.3/24R1 E0/0地址：192.168.0.1/24R1 S0/0地址：202.106.0.1/24R2 S0/0地址：202.106.0.2/24R2 E0/0地址：202.106.1.1/24PC3地址：202.106.1.2/24 (模拟公网服务器)各接口地址按上面配置好之后，在R1和R2上配置路由（注意不要为192.1 68.0.0网络增加路由项，因为私有网络不可以出现在公网路由表中，不然也不叫私有地址了）路由配置好之后在R1上可以ping通PC3，但是PC1只能ping到R1的S 0/0，再向前就ping不通了。

操作手册 IP业务分册 NAT-PT 目录目录第1章 NAT-PT配置................................................................................................................1-11.1 NAT-PT简介.......................................................................................................................1-11.1.1 NAT-PT机制............................................................................................................1-21.1.2 NAT-PT实现过程.....................................................................................................1-21.1.3 协议规范..................................................................................................................1-31.2 NAT-PT配置任务简介........................................................................................................1-31.3 配置NAT-PT.......................................................................................................................1-41.3.1 配置准备..................................................................................................................1-41.3.2 使能NAT-PT功能.....................................................................................................1-41.3.3 配置NAT-PT前缀.....................................................................................................1-41.3.4 配置IPv4侧报文的映射...........................................................................................1-51.3.5 配置IPv6侧报文的映射...........................................................................................1-61.3.6 配置不同协议报文的NAT-PT有效时间....................................................................1-71.3.7 配置会话的最大数量................................................................................................1-81.3.8 配置NAT-PT转换后报文的ToS/Traffic Class字段值................................................1-81.4 NAT-PT显示和维护............................................................................................................1-91.5 NAT-PT典型配置举例........................................................................................................1-91.5.1 配置IPv6侧动态映射...............................................................................................1-91.5.2 配置IPv4侧静态映射和IPv6侧静态映射...............................................................1-111.6 常见配置错误举例............................................................................................................1-13本文中标有“请以实际情况为准”的特性描述，表示各型号对于此特性的支持情况可能不同，本节将对此进行说明。

【IPv6】NAT-PT for IPv6一、机制概述RFC2766、RFC2765。

NAT-PT（网络地址转换-协议转换）是一种地址转换技术，它可以把IPv6地址转换成IPv4地址，反之亦然。

NAT-PT基于RFC2766中定义的无状态IP/ICMP转换器（SIIT）算法。

SIIT算法互译IPv4和IPv6数据包头部，也包括ICMP头部。

需要注意的是，在IPv6环境中，不建议像IPv4对待NAT的态度哪样，去使用NAT。

仅仅在V4单协议与V6单协议网络需要互相通信的时候，才建议使用NAT-PT。

我们看上面的例子，对于IPv6单协议网络而言，首先它有访问IPv6因特网的需求，因此默认的IPv6流量全部交给R1，另外，它可能还有访问IPv4因特网的需求，这时候，就需要借助R2这台NAT-PT设备。

2001:2::/96，这个长度为96位的前缀是我们为了NAT-PT操作预定义的前缀，可以自定义，但是长度必须是96bits。

在IPv6单协议网络中产生的、去往2001:2::/96这个目的地的流量被路由到R2也就是NAT-PT设备，然后数据包中的IPv6地址被转换为IPv4地址并传送给IPv4因特网中的IPv4单协议节点。

二、NAT-PT配置及原理2.1 静态NAT-PT1、静态NAT-PT（单向）A和B的配置都极其简单A的配置：interface FastEthernet0/0ipv6 enableipv6 address 2001:1::1/64ipv6 route ::/0 2001:1::FFFFB的配置如下：interface FastEthernet0/0ip address 202.101.100.2 255.255.255.0ip route 0.0.0.0 0.0.0.0 202.101.100.1R2的配置如下：ipv6 unicast-routing!interface FastEthernet0/0 !! 连接A的接口ipv6 enableipv6 address 2001:1::FFFF/64ipv6 nat!interface FastEthernet1/0ip address 202.101.100.1 255.255.255.0ipv6 nat!ipv6 nat prefix 2001:2::/96 !! 是一个为NAT-PT预留的池ipv6 nat v6v4 source 2001:1::1 202.101.100.100 !! 相当于将2001:1::1这个IPv6的节点，“告知”给IPv4单协议网络中的用户知道，可以以202.101.100.100的方式访问。

计算机与现代化　2007年第3期J I S UANJ I Y U X I A NDA I HUA总第139期文章编号:100622475(2007)0320090203收稿日期:2006204211作者简介:熊英(19772),女,湖北浠水人,湖北工业大学计算机学院,讲师,硕士,研究方向:计算机网络。

基于S N MP 的M I B 库访问熊　英(湖北工业大学计算机学院,湖北武汉430068)摘要:M I B 库的访问是实现网络管理的关键。

本文简要概述了S NM P 协议及网络管理信息库,利用W inS NMP AP I 实现了基于S NMP 的M I B 库的访问,从而进一步实施网络管理的各项功能。

关键词:S NM P;M I B ;W inS NMP中图分类号:TP393 文献标识码:AI m plem en t a ti on of Accessi n g M I B Ba sed on SN M PX I O NG Ying(School of Computer Science,Hubei University of Technol ogy,W uhan 430068,China )Abstract:M I B is the key t o realize the whole net w ork management .Si m p le Net w ork Manage ment Pr ot ocol and M I B are briefly in 2tr oduced .Based on S NMP,an access t o M I B is i m p le mented by using W inS NMP AP I .Theref ore,more functi ons of net w ork manage ment will be i m p r oved .Key words:S NMP;M I B ;W inS NMP0　引　言采用网络管理技术开发先进的网络系统,能够有效地监控网络,保证信息稳定、可靠的传输。

Network Working Group B. Aboba Request for Comments: 3715 W. Dixon Category: Informational Microsoft March 2004 IPsec-Network Address Translation (NAT) Compatibility Requirements Status of this MemoThis memo provides information for the Internet community. It doesnot specify an Internet standard of any kind. Distribution of thismemo is unlimited.Copyright NoticeCopyright (C) The Internet Society (2004). All Rights Reserved. AbstractThis document describes known incompatibilities between NetworkAddress Translation (NAT) and IPsec, and describes the requirementsfor addressing them. Perhaps the most common use of IPsec is inproviding virtual private networking capabilities. One very popular use of Virtual Private Networks (VPNs) is to provide telecommuteraccess to the corporate Intranet. Today, NATs are widely deployed in home gateways, as well as in other locations likely to be used bytelecommuters, such as hotels. The result is that IPsec-NATincompatibilities have become a major barrier in the deployment ofIPsec in one of its principal uses.Aboba & Dixon Informational [Page 1]Table of Contents1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 21.1. Requirements Language. . . . . . . . . . . . . . . . . . 22. Known Incompatibilities between NA(P)T and IPsec . . . . . . . 3 2.1. Intrinsic NA(P)T Issues. . . . . . . . . . . . . . . . . 3 2.2. NA(P)T Implementation Weaknesses . . . . . . . . . . . . 72.3. Helper Incompatibilities . . . . . . . . . . . . . . . . 83. Requirements for IPsec-NAT Compatibility . . . . . . . . . . . 84. Existing Solutions . . . . . . . . . . . . . . . . . . . . . . 12 4.1. IPsec Tunnel Mode. . . . . . . . . . . . . . . . . . . . 12 4.2. RSIP . . . . . . . . . . . . . . . . . . . . . . . . . . 134.3. 6to4 . . . . . . . . . . . . . . . . . . . . . . . . . . 135. Security Considerations. . . . . . . . . . . . . . . . . . . . 146. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.1. Normative References . . . . . . . . . . . . . . . . . . 156.2. Informative References . . . . . . . . . . . . . . . . . 167. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 178. Authors’ Addresses . . . . . . . . . . . . . . . . . . . . . . 179 . Full Copyright Statement . . . . . . . . . . . . . . . . . . . 18 1. IntroductionPerhaps the most common use of IPsec [RFC2401] is in providingvirtual private networking (VPN) capabilities. One very popular use of VPNs is to provide telecommuter access to the corporate Intranet. Today, Network Address Translations (NATs) as described in [RFC3022] and [RFC2663], are widely deployed in home gateways, as well as inother locations likely to be used by telecommuters, such as hotels.The result is that IPsec-NAT incompatibilities have become a majorbarrier in the deployment of IPsec in one of its principal uses.This document describes known incompatibilities between NAT andIPsec, and describes the requirements for addressing them.1.1. Requirements LanguageIn this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted asdescribed in [RFC2119].Please note that the requirements specified in this document are tobe used in evaluating protocol submissions. As such, therequirements language refers to capabilities of these protocols; the protocol documents will specify whether these features are required, recommended, or optional. For example, requiring that a protocolsupport confidentiality is not the same thing as requiring that allprotocol traffic be encrypted.Aboba & Dixon Informational [Page 2]A protocol submission is not compliant if it fails to satisfy one or more of the MUST or MUST NOT requirements for the capabilities thatit implements. A protocol submission that satisfies all the MUST,MUST NOT, SHOULD, and SHOULD NOT requirements for its capabilities is said to be "unconditionally compliant"; one that satisfies all theMUST and MUST NOT requirements, but not all the SHOULD or SHOULD NOT requirements for its protocols is said to be "conditionallycompliant."2. Known Incompatibilities between NA(P)T and IPsecThe incompatibilities between NA(P)T and IPsec can be divided intothree categories:1) Intrinsic NA(P)T issues. These incompatibilities derive directly from the NA(P)T functionality described in [RFC3022]. Theseincompatibilities will therefore be present in any NA(P)T device.2) NA(P)T implementation weaknesses. These incompatibilities are not intrinsic to NA(P)T, but are present in many NA(P)Timplementations. Included in this category are problems inhandling inbound or outbound fragments. Since these issues arenot intrinsic to NA(P)T, they can, in principle, be addressed infuture NA(P)T implementations. However, since the implementation problems appear to be wide spread, they need to be taken intoaccount in a NA(P)T traversal solution.3) Helper issues. These incompatibilities are present in NA(P)Tdevices which attempt to provide for IPsec NA(P)T traversal.Ironically, this "helper" functionality creates furtherincompatibilities, making an already difficult problem harder tosolve. While IPsec traversal "helper" functionality is notpresent in all NA(P)Ts, these features are becoming sufficientlypopular that they also need to be taken into account in a NA(P)Ttraversal solution.2.1. Intrinsic NA(P)T IssuesIncompatibilities that are intrinsic to NA(P)T include:a) Incompatibility between IPsec AH [RFC2402] and NAT. Since the AH header incorporates the IP source and destination addresses in the keyed message integrity check, NAT or reverse NAT devices makingchanges to address fields will invalidate the message integritycheck. Since IPsec ESP [RFC2406] does not incorporate the IPsource and destination addresses in its keyed message integritycheck, this issue does not arise for ESP.Aboba & Dixon Informational [Page 3]b) Incompatibility between checksums and NAT. TCP and UDP checksums have a dependency on the IP source and destination addressesthrough inclusion of the "pseudo-header" in the calculation. As a result, where checksums are calculated and checked upon receipt,they will be invalidated by passage through a NAT or reverse NATdevice.As a result, IPsec Encapsulating Security Payload (ESP) will only pass through a NAT unimpeded if TCP/UDP protocols are not involved (as in IPsec tunnel mode or IPsec protected GRE), or checksums are not calculated (as is possible with IPv4 UDP). As described in[RFC793], TCP checksum calculation and verification is required in IPv4. UDP/TCP checksum calculation and verification is requiredin IPv6.Stream Control Transmission Protocol (SCTP), as defined in[RFC2960] and [RFC3309], uses a CRC32C algorithm calculated onlyon the SCTP packet (common header + chunks), so that the IP header is not covered. As a result, NATs do not invalidate the SCTP CRC, and the problem does not arise.Note that since transport mode IPsec traffic is integrityprotected and authenticated using strong cryptography,modifications to the packet can be detected prior to checkingUDP/TCP checksums. Thus, checksum verification only providesassurance against errors made in internal processing.c) Incompatibility between IKE address identifiers and NAT. Where IP addresses are used as identifiers in Internet Key ExchangeProtocol (IKE) Phase 1 [RFC2409] or Phase 2, modification of theIP source or destination addresses by NATs or reverse NATs willresult in a mismatch between the identifiers and the addresses in the IP header. As described in [RFC2409], IKE implementations are required to discard such packets.In order to avoid use of IP addresses as IKE Phase 1 and Phase 2identifiers, userIDs and FQDNs can be used instead. Where userauthentication is desired, an ID type of ID_USER_FQDN can be used, as described in [RFC2407]. Where machine authentication isdesired, an ID type of ID_FQDN can be used. In either case, it is necessary to verify that the proposed identifier is authenticated as a result of processing an end-entity certificate, ifcertificates are exchanged in Phase 1. While use of USER_FQDN or FQDN identity types is possible within IKE, there are usagescenarios (e.g. Security Policy Database (SPD) entries describing subnets) that cannot be accommodated this way.Aboba & Dixon Informational [Page 4]Since the source address in the Phase 2 identifier is often usedto form a full 5-tuple inbound SA selector, the destinationaddress, protocol, source port and destination port can be used in the selector so as not to weaken inbound SA processing.d) Incompatibility between fixed IKE source ports and NAPT. Wheremultiple hosts behind the NAPT initiate IKE SAs to the sameresponder, a mechanism is needed to allow the NAPT to demultiplex the incoming IKE packets from the responder. This is typicallyaccomplished by translating the IKE UDP source port on outboundpackets from the initiator. Thus responders must be able toaccept IKE traffic from a UDP source port other than 500, and must reply to that port. Care must be taken to avoid unpredictablebehavior during re-keys. If the floated source port is not usedas the destination port for the re-key, the NAT may not be able to send the re-key packets to the correct destination.e) Incompatibilities between overlapping SPD entries and NAT. Where initiating hosts behind a NAT use their source IP addresses inPhase 2 identifiers, they can negotiate overlapping SPD entrieswith the same responder IP address. The responder could then send packets down the wrong IPsec SA. This occurs because to theresponder, the IPsec SAs appear to be equivalent, since they exist between the same endpoints and can be used to pass the sametraffic.f) Incompatibilities between IPsec SPI selection and NAT. SinceIPsec ESP traffic is encrypted and thus opaque to the NAT, the NAT must use elements of the IP and IPsec header to demultiplexincoming IPsec traffic. The combination of the destination IPaddress, security protocol (AH/ESP), and IPsec SPI is typicallyused for this purpose.However, since the outgoing and incoming SPIs are chosenindependently, there is no way for the NAT to determine whatincoming SPI corresponds to what destination host merely byinspecting outgoing traffic. Thus, were two hosts behind the NAT to attempt to create IPsec SAs at the same destinationsimultaneously, it is possible that the NAT will deliver theincoming IPsec packets to the wrong destination.Note that this is not an incompatibility with IPsec per se, butrather with the way it is typically implemented. With both AH and ESP, the receiving host specifies the SPI to use for a given SA, a choice which is significant only to the receiver. At present, the combination of Destination IP, SPI, and Security Protocol (AH,ESP) uniquely identifies a Security Association. Also, SPI values in the range 1-255 are reserved to IANA and may be used in the Aboba & Dixon Informational [Page 5]future. This means that, when negotiating with the same external host or gateway, the internal hosts behind the same NAPT canselect the same SPI value, such that one host inbound SA is(SPI=470, Internal Dest IP=192.168.0.4)and a different host inbound SA is(SPI=470, Internal Dest IP=192.168.0.5).The receiving NAPT will not be able to determine which internalhost an inbound IPsec packet with SPI=470 should be forwarded to. It is also possible for the receiving host to allocate a uniqueSPI to each unicast Security Association. In this case, theDestination IP Address need only be checked to see if it is "anyvalid unicast IP for this host", not checked to see if it is thespecific Destination IP address used by the sending host. Usingthis technique, the NA(P)T can be assured of a low but non-zerochance of forwarding packets to the wrong internal host, even when two or more hosts establish SAs with the same external host.This approach is completely backwards compatible, and onlyrequires the particular receiving host to make a change to its SPI allocation and IPsec_esp_input() code. However, NA(P)T devicesmay not be able to detect this behavior without problemsassociated with parsing IKE payloads. And a host may still berequired to use a SPI in the IANA reserved range for the assigned purpose.g) Incompatibilities between embedded IP addresses and NAT. Sincethe payload is integrity protected, any IP addresses enclosedwithin IPsec packets will not be translatable by a NAT. Thisrenders ineffective Application Layer Gateways (ALGs) implemented within NATs. Protocols that utilize embedded IP addresses include FTP, IRC, SNMP, LDAP, H.323, SIP, SCTP (optionally), and manygames. To address this issue, it is necessary to install ALGs on the host or security gateway that can operate on applicationtraffic prior to IPsec encapsulation and after IPsecdecapsulation.h) Implicit directionality of NA(P)T. NA(P)Ts often require aninitial outbound packet to flow through them in order to create an inbound mapping state. Directionality prohibits unsolicitedestablishment of IPsec SAs to hosts behind the NA(P)T.i) Inbound SA selector verification. Assuming IKE negotiates phase 2 selectors, inbound SA processing will drop the decapsulatedpacket, since [RFC2401] requires a packet’s source address matchthe SA selector value, which NA(P)T processing of an ESP packetwould change.Aboba & Dixon Informational [Page 6]2.2. NA(P)T Implementation WeaknessesImplementation problems present in many NA(P)Ts include:j) Inability to handle non-UDP/TCP traffic. Some NA(P)Ts discardnon-UDP/TCP traffic or perform address-only translation when only one host is behind the NAT. Such NAPTs are unable to enable SCTP, ESP (protocol 50), or AH (protocol 51) traffic.k) NAT mapping timeouts. NA(P)Ts vary in the time for which a UDPmapping will be maintained in the absence of traffic. Thus, even where IKE packets can be correctly translated, the translationstate may be removed prematurely.l) Inability to handle outgoing fragments. Most NA(P)Ts can properly fragment outgoing IP packets in the case where the IP packet size exceeds the MTU on the outgoing interface. However, propertranslation of outgoing packets that are already fragmented isdifficult and most NAPTs do not handle this correctly. As notedin Section 6.3 of [RFC3022], where two hosts originate fragmented packets to the same destination, the fragment identifiers canoverlap. Since the destination host relies on the fragmentationidentifier and fragment offset for reassembly, the result will be data corruption. Few NA(P)Ts protect against identifiercollisions by supporting identifier translation. Identifiercollisions are not an issue when NATs perform the fragmentation,since the fragment identifier need only be unique within asource/destination IP address pair.Since a fragment can be as small as 68 octets [RFC791], there isno guarantee that the first fragment will contain a complete TCPheader. Thus, a NA(P)T looking to recalculate the TCP checksummay need to modify a subsequent fragment. Since fragments can be reordered, and IP addresses can be embedded and possibly evensplit between fragments, the NA(P)T will need to performreassembly prior to completing the translation. Few NA(P)Tssupport this.m) Inability to handle incoming fragments. Since only the firstfragment will typically contain a complete IP/UDP/SCTP/TCP header, NAPTs need to be able to perform the translation based on thesource/dest IP address and fragment identifier alone. Sincefragments can be reordered, the headers to a given fragmentidentifier may not be known if a subsequent fragment arrives prior to the initial one, and the headers may be split betweenfragments. As a result, the NAPT may need to perform reassemblyprior to completing the translation. Few NAPTs support this.Note that with NAT, the source/dest IP address is enough toAboba & Dixon Informational [Page 7]determine the translation so that this does not arise. However,it is possible for the IPsec or IKE headers to be split betweenfragments, so that reassembly may still be required.2.3. Helper IncompatibilitiesIncompatibilities between IPsec and NAT "helper" functionalityinclude:n) Internet Security Association and Key Management Protocol (ISAKMP) header inspection. Today some NAT implementations attempt to use IKE cookies to de-multiplex incoming IKE traffic. As withsource-port de-multiplexing, IKE cookie de-multiplexing results in problems with re-keying, since Phase 1 re-keys typically will not use the same cookies as the earlier traffic.o) Special treatment of port 500. Since some IKE implementations are unable to handle non-500 UDP source ports, some NATs do nottranslate packets with a UDP source port of 500. This means that these NATs are limited to one IPsec client per destinationgateway, unless they inspect details of the ISAKMP header toexamine cookies which creates the problem noted above.p) ISAKMP payload inspection. NA(P)T implementations that attempt to parse ISAKMP payloads may not handle all payload orderingcombinations, or support vendor_id payloads for IKE optionnegotiation.3. Requirements for IPsec-NAT CompatibilityThe goal of an IPsec-NAT compatibility solution is to expand therange of usable IPsec functionality beyond that available in theNAT-compatible IPsec tunnel mode solution described in Section 2.3.In evaluating a solution to IPsec-NAT incompatibility, the following criteria should be kept in mind:DeploymentSince IPv6 will address the address scarcity issues thatfrequently lead to use of NA(P)Ts with IPv4, the IPsec-NATcompatibility issue is a transitional problem that needs to besolved in the time frame prior to widespread deployment of IPv6.Therefore, to be useful, an IPsec-NAT compatibility solution MUST be deployable on a shorter time scale than IPv6.Aboba & Dixon Informational [Page 8]Since IPv6 deployment requires changes to routers as well ashosts, a potential IPsec-NAT compatibility solution, whichrequires changes to both routers and hosts, will be deployable on approximately the same time scale as IPv6. Thus, an IPsec-NATcompatibility solution SHOULD require changes only to hosts, andnot to routers.Among other things, this implies that communication between thehost and the NA(P)T SHOULD NOT be required by an IPsec-NATcompatibility solution, since that would require changes to theNA(P)Ts, and interoperability testing between the host and NA(P)T implementations. In order to enable deployment in the short term, it is necessary for the solution to work with existing router and NA(P)T products within the deployed infrastructure.Protocol CompatibilityAn IPsec NAT traversal solution is not expected to resolve issues with protocols that cannot traverse NA(P)T when unsecured withIPsec. Therefore, ALGs may still be needed for some protocols,even when an IPsec NAT traversal solution is available.SecuritySince NA(P)T directionality serves a security function, IPsecNA(P)T traversal solutions should not allow arbitrary incomingIPsec or IKE traffic from any IP address to be received by a host behind the NA(P)T, although mapping state should be maintainedonce bidirectional IKE and IPsec communication is established.Telecommuter ScenarioSince one of the primary uses of IPsec is remote access tocorporate Intranets, a NA(P)T traversal solution MUST supportNA(P)T traversal, via either IPsec tunnel mode or L2TP over IPsec transport mode [RFC3193]. This includes support for traversal of more than one NA(P)T between the remote client and the VPNgateway.The client may have a routable address and the VPN gateway may be behind at least one NA(P)T, or alternatively, both the client and the VPN gateway may be behind one or more NA(P)Ts. Telecommuters may use the same private IP address, each behind their own NA(P)T, or many telecommuters may reside on a private network behind thesame NA(P)T, each with their own unique private address,connecting to the same VPN gateway. Since IKE uses UDP port 500as the destination, it is not necessary to enable multiple VPNgateways operating behind the same external IP address.Aboba & Dixon Informational [Page 9]Gateway-to-Gateway ScenarioIn a gateway-gateway scenario, a privately addressed network (DMZ) may be inserted between the corporate network and the Internet.In this design, IPsec security gateways connecting portions of the corporate network may be resident in the DMZ and have privateaddresses on their external (DMZ) interfaces. A NA(P)T connectsthe DMZ network to the Internet.End-to-End ScenarioA NAT-IPsec solution MUST enable secure host-host TCP/IPcommunication via IPsec, as well as host-gateway communications.A host on a private network MUST be able to bring up one ormultiple IPsec-protected TCP connections or UDP sessions toanother host with one or more NA(P)Ts between them. For example, NA(P)Ts may be deployed within branch offices connecting to thecorporate network, with an additional NA(P)T connecting thecorporate network to the Internet. Likewise, NA(P)Ts may bedeployed within a corporate network LAN or WAN to connect wireless or remote location clients to the corporate network. This mayrequire special processing of TCP and UDP traffic on the host.Bringing up SCTP connections to another host with one or more NA(P)Ts between them may present special challenges. SCTP supports multi-homing. If more than one IP address is used, these addresses aretransported as part of the SCTP packet during the association setup(in the INIT and INIT-ACK chunks). If only single homed SCTP end-points are used, [RFC2960] section 3.3.2.1 states:Note that not using any IP address parameters in the INIT andINIT-ACK is an alternative to make an association more likelyto work across a NAT box.This implies that IP addresses should not be put into the SCTP packet unless necessary. If NATs are present and IP addresses are included, then association setup will fail. Recently [AddIP] has been proposed which allows the modification of the IP address once an associationis established. The modification messages have also IP addresses in the SCTP packet, and so will be adversely affected by NATs.Firewall CompatibilitySince firewalls are widely deployed, a NAT-IPsec compatibilitysolution MUST enable a firewall administrator to create simple,static access rule(s) to permit or deny IKE and IPsec NA(P)Ttraversal traffic. This implies, for example, that dynamicallocation of IKE or IPsec destination ports is to be avoided. Aboba & Dixon Informational [Page 10]ScalingAn IPsec-NAT compatibility solution should be capable of beingdeployed within an installation consisting of thousands oftelecommuters. In this situation, it is not possible to assumethat only a single host is communicating with a given destination at a time. Thus, an IPsec-NAT compatibility solution MUST address the issue of overlapping SPD entries and de-multiplexing ofincoming packets.Mode SupportAt a minimum, an IPsec-NAT compatibility solution MUST supporttraversal of the IKE and IPsec modes required for support within[RFC2409] and [RFC2401]. For example, an IPsec gateway MUSTsupport ESP tunnel mode NA(P)T traversal, and an IPsec host MUSTsupport IPsec transport mode NA(P)T traversal. The purpose of AH is to protect immutable fields within the IP header (includingaddresses), and NA(P)T translates addresses, invalidating the AHintegrity check. As a result, NA(P)T and AH are fundamentallyincompatible and there is no requirement that an IPsec-NATcompatibility solution support AH transport or tunnel mode.Backward Compatibility and InteroperabilityAn IPsec-NAT compatibility solution MUST be interoperable withexisting IKE/IPsec implementations, so that they can communicatewhere no NA(P)T is present. This implies that an IPsec-NATcompatibility solution MUST be backwards-compatible with IPsec as defined in [RFC2401] and IKE as defined in [RFC2409]. Inaddition, it SHOULD be able to detect the presence of a NA(P)T, so that NA(P)T traversal support is only used when necessary. Thisimplies that it MUST be possible to determine that an existing IKE implementation does not support NA(P)T traversal, so that astandard IKE conversation can occur, as described in [RFC2407],[RFC2408], and [RFC2409]. Note that while this implies initiation of IKE to port 500, there is no requirement for a specific source port, so that UDP source port 500 may or may not be used.SecurityAn IPsec-NAT compatibility solution MUST NOT introduce additional IKE or IPsec security vulnerabilities. For example, an acceptable solution must demonstrate that it introduces no new denial ofservice or spoofing vulnerabilities. IKE MUST be allowed to re-key in a bi-directional manner as described in [RFC2408].Aboba & Dixon Informational [Page 11]4. Existing Solutions4.1. IPsec Tunnel ModeIn a limited set of circumstances, it is possible for an IPsec tunnel mode implementation, such as that described in [DHCP], to traverseNA(P)T successfully. However, the requirements for successfultraversal are sufficiently limited so that a more general solution is needed:1) IPsec ESP. IPsec ESP tunnels do not cover the outer IP headerwithin the message integrity check, and so will not sufferAuthentication Data invalidation due to address translation.IPsec tunnels also need not be concerned about checksuminvalidation.2) No address validation. Most current IPsec tunnel modeimplementations do not perform source address validation so thatincompatibilities between IKE identifiers and source addresseswill not be detected. This introduces security vulnerabilities as described in Section 5.3) "Any to Any" SPD entries. IPsec tunnel mode clients can negotiate "any to any" SPDs, which are not invalidated by addresstranslation. This effectively precludes use of SPDs for thefiltering of allowed tunnel traffic.4) Single client operation. With only a single client behind a NAT, there is no risk of overlapping SPDs. Since the NAT will not need to arbitrate between competing clients, there is also no risk ofre-key mis-translation, or improper incoming SPI or cookiede-multiplexing.5) No fragmentation. When certificate authentication is used, IKEfragmentation can be encountered. This can occur when certificate chains are used, or even when exchanging a single certificate ifthe key size, or the size of other certificate fields (such as the distinguished name and other extensions), is large enough.However, when pre-shared keys are used for authentication,fragmentation is less likely.6) Active sessions. Most VPN sessions typically maintain ongoingtraffic flow during their lifetime so that UDP port mappings areless likely be removed due to inactivity.Aboba & Dixon Informational [Page 12]。