Re: [Fwd: I-D Action:draft-carpenter-shanti-01.txt]

[james woodyatt <jhw@apple.com>]

On Nov 7, 2007, at 18:46, Brian E Carpenter wrote:
> I've fixed a lot of errors and inconsistencies in this version.
> I'd really like to know if the idea holds water. Active co-authors
> would be most welcome. Critical review by someone who's been
> tracking BEHAVE would be most welcome.

It looks like "reverse RSIP" for IPv6-transition.  Brilliant!

I'm also not entirely convinced that carrying network layer IPsec ESP  
through SHANTI to IPv4 endpoints would be all that difficult.  I  
start by doing the fairly obvious thing in existing IKE ALGs in use  
today for IPsec VPN transparency where you track IKE cookies and  
match SPI to local host addresses by serializing their IKE  
transactions.  You'd just have to look for IPv6 addresses as well as  
IPv4 addresses in the SHANTI translator.  You'd still have all the  
same old problems with IPv4/NAT and IPsec ESP translation with an IKE  
ALG, but those are— again— limitations of communicating over IPv4  
with a single IP address mapped to multiple private addresses.  In  
short, your IPv6-only node would be able to communicate with IPsec  
ESP to IPv4 hosts through the SHANTI translator with basically the  
same level of brokenness that you have today with an IPv4 stack at a  
private address behind a NAT.


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering