Re: IPsec support for NAT-PT in IPv6

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

   Comments welcome.
   
=> in section 2.1:
   The IP addresses are usually used as the ID values in this procedure.

 this is not true: draft-ietf-pki4ipsec-ikecert-profile-03.txt:
   ... Of these types, FQDN and USER_FQDN are
   RECOMMENDED over IP addresses (see discussion in Section 3.1.1).

   and in section 3.1.1 there is the rationale:

   Implementations SHOULD NOT populate ID payload with IP addresses due
   to interoperability issues such as problems with NAT traversal, and
   problems with IP verification behavior.

 So the solution is simple: avoid (put a MUST NOT) ID payload with
 IP addresses as it is already done for the NAT traversal.

=> section 2.2 describes a NAT problem, not a NAT-PT problem.
I don't understand why section 3 doesn't try to extend the NAT traversal
mechanism...

=> section 4 doesn't make sense : IKE already works well through a NAT.

=> idem for section 5. If the only issue is the transport checksum
the current NAT traversal has NAT-OA payloads to fix it.

So my recommendation is to refer to RFC 3715 (IPsec-Network Address
Translation (NAT) Compatibility Requirements) and its companion solution
I-D draft-ietf-ipsec-nat-t-ike-08.txt

Regards

Francis.Dupont@enst-bretagne.fr