RE: IPsec support for NAT-PT in IPv6

["Inseok Choi" <ischl@cns.ssu.ac.kr>]

* IKE ==> In environment which it use dynamic address(DHCP, NAT, ...), as
possible as we use IKE using CERT. but IKE can't surely use CERT in
condition (ex> no CERT, authentication of IP address).
In real IKE procedure, I think we need to see things from various
methodology.

* IPsec using UDP encapsulation in NAT-PT
==> If we use IPsec using UDP encapsulation, see below
1. NAT ==> |New IPv4 header|UDP|Original IPv4 header|IKE or AH payload|
2. NAT-PT ==> |New IPv4 header|UDP|Original IPv6 header|IKE of AH payload|

NAT can use UDP encapsulation method because no change Original IPv4 header.
and opposite peer can understand original IPv4 packet.
But NAT-PT can't use same method because opposite peer can't understand
original IPv6 packet.

-----Original Message-----
From: Francis.Dupont@enst-bretagne.fr
[mailto:Francis.Dupont@enst-bretagne.fr] 
Sent: Tuesday, November 02, 2004 10:20 PM
To: Inseok Choi
Cc: v6ops@ops.ietf.org
Subject: Re: IPsec support for NAT-PT in IPv6 

 In your previous mail you wrote:

   in 2.1 ==> My proposed mechanism was assume IKE using preshared key
Phase.

=> preshared key with not predictable address doesn't work in main mode,
there is nothing to do to fix that because this is an intrinsic feature
(identity protection).

   If we can't IKE using use certificate, we should use IKE using other way.
   
   in IPsec using UDP encapsulation ==> NAT-PT can't apply to it.

=> why? UDP encapsulation is there to help header translation and is
not limited to NAT.

   If we use IPsec using UDP encapsulation in NAT-PT, NAT-PT server
   may send IPv4-in-IPv6 packet.

=> I can't see the problem: the user wants to protect and encapsulate
its IPv6 packet...

   However IPv4 node don't understand IPv6 packet.
   
=> so tunnel mode is not usable but transport is.

   Therefore, NAT traversal method can be applied to NAT-PT mechanism.
   
Regards
   
Francis.Dupont@enst-bretagne.fr