[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv6 tunnel over NAT
On Fri, 27 Sep 2002, Rob Austein wrote:
Hi Rob,
> For other relay problems (eg, 6to4) it might make sense to look into
> some kind of tunnel control using IPsec. Unless I misremember the
> spec, tunnel mode IPsec does allow the inner and outer versions of IP
> to be different, so one could have (eg) IPv6/ESP/IPv4 and the only
> additional cost over the normal 6to4 encapsulation would be the ESP
> header itself. Account setup for IPsec isn't as well understood as
> for PPP, but perhaps we can use what works for PPP as a model.
There is a problem with what you describe WRT 6to4. When a 6to4 router is
sending a packet to a "native" IPv6 host it can "discover" a 6to4
relay router using the well known anycast address (RFC 3068) or might send
the packet to a particular relay router (using unicast). Though it is not
guaranteed that a response from the native IPv6 host will arrive at the
6to4 router by way of the same relay router. Routing on the native
IPv6 internet will determine which relay router will be used to reply
to 6to4 router in question. This makes it very difficult to create a
security association with all 6to4 relay routers. Today there are only a
few 6to4 relay routers deployed (AFAIK), but there is certainly no limit
as to how many will be deployed in the future. The non-deterministic
nature of what relay routers a 6to4 router may receive traffic from is the
very nature of 6to4's security issues.
-Jason