[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPsec support for NAT-PT in IPv6
in 2.1 ==> My proposed mechanism was assume IKE using preshared key Phase.
If we can't IKE using use certificate, we should use IKE using other way.
in IPsec using UDP encapsulation ==> NAT-PT can't apply to it. If we use
IPsec using UDP encapsulation in NAT-PT, NAT-PT server may send IPv4-in-
IPv6 packet. However IPv4 node don't understand IPv6 packet.
Therefore, NAT traversal method can be applied to NAT-PT mechanism.
-----Original Message-----
From: owner-v6ops@ops.ietf.org [mailto:owner-v6ops@ops.ietf.org] On Behalf
Of Francis Dupont
Sent: Friday, October 29, 2004 9:44 PM
To: 최인석
Cc: v6ops@ops.ietf.org
Subject: Re: IPsec support for NAT-PT in IPv6
In your previous mail you wrote:
Comments welcome.
=> in section 2.1:
The IP addresses are usually used as the ID values in this procedure.
this is not true: draft-ietf-pki4ipsec-ikecert-profile-03.txt:
... Of these types, FQDN and USER_FQDN are
RECOMMENDED over IP addresses (see discussion in Section 3.1.1).
and in section 3.1.1 there is the rationale:
Implementations SHOULD NOT populate ID payload with IP addresses due
to interoperability issues such as problems with NAT traversal, and
problems with IP verification behavior.
So the solution is simple: avoid (put a MUST NOT) ID payload with
IP addresses as it is already done for the NAT traversal.
=> section 2.2 describes a NAT problem, not a NAT-PT problem.
I don't understand why section 3 doesn't try to extend the NAT traversal
mechanism...
=> section 4 doesn't make sense : IKE already works well through a NAT.
=> idem for section 5. If the only issue is the transport checksum
the current NAT traversal has NAT-OA payloads to fix it.
So my recommendation is to refer to RFC 3715 (IPsec-Network Address
Translation (NAT) Compatibility Requirements) and its companion solution
I-D draft-ietf-ipsec-nat-t-ike-08.txt
Regards
Francis.Dupont@enst-bretagne.fr