[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec support for NAT-PT in IPv6
In your previous mail you wrote:
* IKE ==> In environment which it use dynamic address(DHCP, NAT, ...), as
possible as we use IKE using CERT. but IKE can't surely use CERT in
condition (ex> no CERT, authentication of IP address).
In real IKE procedure, I think we need to see things from various
methodology.
=> you are simply trying to make NAT-PT an exceptional case: I disagree,
NAT traversal, "road warriors", etc, are already known and handled cases.
* IPsec using UDP encapsulation in NAT-PT
==> If we use IPsec using UDP encapsulation, see below
1. NAT ==> |New IPv4 header|UDP|Original IPv4 header|IKE or AH payload|
=> there is no such "Original IPv4 header" (IKE doesn't tunnel and
AH is usable in tunnel mode only in theory).
2. NAT-PT ==> |New IPv4 header|UDP|Original IPv6 header|IKE of AH payload|
=> same.
The only problem is with ESP transport:
New IPv4 header|optional UDP|ESP {ESP header|Original IPv6 packet|ESP trailer}
where of course the Original IPv6 packet, likely encripted, can't be
understood by the IPv4 only peer. But NAT-PT can't do something,
this is just a service (ESP tunnel) which doesn't make any sense
in this context.
NAT can use UDP encapsulation method because no change Original IPv4 header.
and opposite peer can understand original IPv4 packet.
But NAT-PT can't use same method because opposite peer can't understand
original IPv6 packet.
=> please read NAT traversal and UDP encapsulation drafts...
Regards
Francis.Dupont@enst-bretagne.fr