[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT64 and IPsec support

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: NAT64 and IPsec support
From: marcelo bagnulo <marcelo@it.uc3m.es>
Date: Sat, 29 Mar 2008 11:05:03 +0100
Cc: IPv6 Operations <v6ops@ops.ietf.org>, mcr@sandelman.ca, narten@us.ibm.com, dthaler@microsoft.com
In-reply-to: <5DF0C845-324F-41F8-838C-D92414D8AE7F@muada.com>
References: <47ED4397.10108@it.uc3m.es> <5DF0C845-324F-41F8-838C-D92414D8AE7F@muada.com>
User-agent: Thunderbird 2.0.0.12 (Macintosh/20080213)

Iljitsch van Beijnum escribió:

On 28 mrt 2008, at 20:14, marcelo bagnulo wrote:
Another issue that was brought up during the meeting was IPSec support.
I have been reading RFC3948 and i have some questions.
I understand that if transport mode can work through v4 NATs usingRFC3948 UDP encapsulation and soem other tweaks defined in the RFC,then it is reasonable to expect that the same level of support ofsupport can be achieved in NAT64.so we could simply add a requirement that NAT64 mechanisms shouldsupport the use cases supported by RFC3948.
Ok, this is all easy enough (and should equally apply to both tunneland transport mode), except that RFC 3948 doesn't really mention IKE,which I think needs to be changed to support NAT64 or NAT46. Questionto the IPsec experts: would it be possible to have the updated IKEimplementation on just one end (presumably the v6 end) where the otherend thinks it just sees regular NAT44?
In tunnel mode, we have two IP headers and the NAT64 will onlytranslate one of them (by default, if we don't do anything specialwith it).so, the problem, is that even if the outside IP header is translatedwith the NAT64 box, the inner header remains in the original IPversion, so i am wondering if this doesn't present additionladifficulties. The option is to translate both headers
The inner header is encrypted and/or protected by a HMAC sotranslating it is not possible. However: there are two possibilities:


no, there are no possibilites then.
I mean,
if the v4 only host don't understand v6
and
the v6 only host don't understand v6,
and
the inner header cannot be changed (so it is v6 or v4)
Then

we cannot make this work, i.e. there is no possible IPSec tunnel modesupport,

since the inner header is either:
v4, then the v6 only node doesn't understand it
or
v6 then the v4 only node doesn't understand it

So, my conclusion is that we cannot require IPSec tunnel mode support inthe NAT64 environment


We can require transport mode support, if we can work out the details

what am i missing?

regards, marcelo

1. The inner header is IPv6. In that case, it seems reasonable thatIPv6 could also be used for the outer header so the issue is moot
2. The inner header is IPv4. In that case, no translation is requiredso the issue is also moot

References:
- NAT64 and IPsec support
  - From: marcelo bagnulo <marcelo@it.uc3m.es>
- Re: NAT64 and IPsec support
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: NAT64 and DNSSec
Next by Date: Re: NAT64 and IPsec support
Previous by thread: Re: NAT64 and IPsec support
Next by thread: Re: NAT64 and IPsec support
Index(es):
- Date
- Thread