[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Fwd: I-D Action:draft-carpenter-shanti-01.txt]
On Nov 7, 2007, at 18:46, Brian E Carpenter wrote:
I've fixed a lot of errors and inconsistencies in this version.
I'd really like to know if the idea holds water. Active co-authors
would be most welcome. Critical review by someone who's been
tracking BEHAVE would be most welcome.
It looks like "reverse RSIP" for IPv6-transition. Brilliant!
I'm also not entirely convinced that carrying network layer IPsec ESP
through SHANTI to IPv4 endpoints would be all that difficult. I
start by doing the fairly obvious thing in existing IKE ALGs in use
today for IPsec VPN transparency where you track IKE cookies and
match SPI to local host addresses by serializing their IKE
transactions. You'd just have to look for IPv6 addresses as well as
IPv4 addresses in the SHANTI translator. You'd still have all the
same old problems with IPv4/NAT and IPsec ESP translation with an IKE
ALG, but those are— again— limitations of communicating over IPv4
with a single IP address mapped to multiple private addresses. In
short, your IPv6-only node would be able to communicate with IPsec
ESP to IPv4 hosts through the SHANTI translator with basically the
same level of brokenness that you have today with an IPv4 stack at a
private address behind a NAT.
--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering