Realm-Specific IP for VPNs and Beyond

Although still in draft stage, RSIP holds great promise for bridging public and private address spaces. Better yet, it sidesteps many of the pitfalls associated with applying NAT to IPsec traffic.

Lisa Phifer
VP Core Competence, Inc.
[June 23, 2000]

In last month's column (IP Security and NAT: Oil and Water?), we explored issues associated with combing IPsec and Network Address Translation (NAT). NAT is often used on teleworker and small business LANs to share a single public IP. Enterprise customers also use NAT to host servers behind a firewall or hide private network topology. As explained in that column, it is possible to run tunnel-mode IPsec Encapsulating Security Payload (ESP) through NAT, but one must do so with great care. Better yet, NAT before IPsec; don't IPsec before NAT.

But what if your customers cannot NAT before IPsec or require other incompatible flavors of IPsec: the Authentication Header (AH) or transport-mode ESP? There may still be hope. The IETF is now defining a NAT alternative called Realm-Specific IP (RSIP) that may prove kinder to IPsec.

What is RSIP?
RSIP leases public IP addresses and ports to RSIP hosts located in private addressing realms. Unlike NAT, RSIP does not operate in stealth mode and does not translate addresses on the fly. Instead, RSIP allows hosts to directly participate concurrently in several addressing realms. While RSIP does require host awareness, it avoids violating the end-to-end nature of the Internet. With RSIP, IP payload flows from source to destination without modifications that cripple IPsec AH and many other NAT-sensitive protocols.

How RSIP works
RSIP gateways are multi-homed devices that straddle two or more addressing realms, just as NAT-capable firewalls and routers do today. When an RSIP-savvy host wants to communicate beyond its own private network, it registers with an RSIP gateway. The RSIP gateway allocates a unique public IP address (or a shared public IP address and a unique set of TCP/UDP ports) and binds the RSIP host's private address to this public address. The RSIP host uses this public source address to send packets to public destinations until its lease expires or is renewed.

But the RSIP host can't send a publicly addressed packet as-is; it must first get the packet to the RSIP gateway. To do this, the host wraps the original packet inside a privately addressed outer packet. This "encapsulation" can be accomplished using any standard tunneling protocol: IP-in-IP, the generic routing encapsulation (GRE), or the layer two tunneling protocol (L2TP). Upon receipt, the RSIP gateway strips off the outer packet and forwards the original packet across the public network, towards its final destination.

For simplicity, we talk about RSIP linking one private network to the public Internet, but RSIP can also be used to relay traffic between several privately addressed networks. An RSIP host can lease several different addresses as needed to reach different destinations networks. I've focused on outgoing traffic here, but an RSIP host can ask the RSIP gateway to relay incoming packets addressed to a public IP and port.

go to page 2: Combining RSIP and IPsec