Re: NAT64 and IPsec support

[Hesham Soliman <hesham@elevatemobile.com>]

On 29/03/2008, at 7:34 AM, Iljitsch van Beijnum wrote:
> On 28 mrt 2008, at 21:10, Iljitsch van Beijnum wrote:
>
> > Ok, this is all easy enough (and should equally apply to both  
> > tunnel and transport mode), except that RFC 3948 doesn't really  
> > mention IKE, which I think needs to be changed to support NAT64 or  
> > NAT46. Question to the IPsec experts: would it be possible to have  
> > the updated IKE implementation on just one end (presumably the v6  
> > end) where the other end thinks it just sees regular NAT44?
>
> Wait: this is only an issue if the IPv6 hosts thinks it's actually  
> doing v6. In that case, I don't see how IKE could work (but IKE is  
> extremely complex and I only know how it works very superficially).  
> If on the other hand the host knows it's talking to a v4 destination  
> it can anticipate the translation and it should probably be possible  
> to make things such that IKE can work the same way as though NAT44.

=> IKE can work with, for example, mapped addresses, it sets up the SA  
based on the v4 address. I think this was discussed in either SIIT or  
in:
http://www.tools.ietf.org/html/draft-ietf-ngtrans-siit-dstm-00

or in both, I can't remember now.

Hesham

>