Re: ingress filteing problem

[Brian E Carpenter <brc@zurich.ibm.com>]

Christian Huitema wrote:
> 
> > > I'm probably late to the party, but don't (1) and (2) break
> > > transport-mode IPsec?
> > >
> >
> > (1) depicts schemes to forward IP packet to the "correct" ISP such
> that
> > the
> > source address is matching ISP's ingress filter. There is no IP
> src/dst
> > rewriting during the process. So, transport-mode IPsec won't be
> affected.
> >
> > (2) use NAT to rewrite the locators (IP src/dst) in order to pass
> through
> > ISP's ingress filter and provides consistent src/dst address pair for
> > non-multi6 host at another end of the communication. It is no better
> (or
> > worse) than existing NAT deployments regarding IPsec compatibility
> issues.
> 
> Of course, this can only work if you use NAT fully, i.e. keep state per
> connection, rewrite the checksums, provide ALG for the protocols that
> carry addresses in the payload, accept that the ALG will break if one
> uses IPSEC in transport mode, etc. There must be another way...
> 
> -- Christian Huitema

By "NAT" I trust we mean reversible NAT... this WG is not about to
suggest traditional NAT for IPv6, I don't think. Solutions that rewrite
the locator(s) and then set them back to their original value before
final processing at the destination will not break IPSEC and will not
require any transport checksums to be recalculated.

Of course, how the source knows which rewrite will be accepted by
the relevant ingress filters is a little piece of magic TBD.

   Brian