[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT64 and IPsec support
GT> But then the NAT64 box is irrelevant.
The only thing we have to make sure for both of these cases is that
NAT64 does not interfere with native IPv4 and native IPv6 traffic.
GT> The only question in my mind that is relevant to the NAT64
discussions, is whether IKE/IPSEC, can work between an IPv6only node
and an IPv4only node.
exactly!
IMHO there is something perverse about expecting
such a thing to work and I would just forget about it.
well, it seems that people expect that things that work on a regular
v4NAT shoudl also work in NAT64, so i would like to see if we can
require that.
Some flavors of IPSec does work through v4NATs. see RFC3948
GT> Note that in IPv4NAT, one can tunnel over it, meaning that NATv4
is applied only on the (non-secured) tunnel header and the inner
header can be IPSECed with no problems. When the two peers do not
speak the same IP version, however, such an approach does not help
i.e., all IP-layer headers will require translation which will always
break IPSEC
that is exactly my point
So IPSec tunnel mode, even if it is supported in v4NATs seems hard to
support in NAT64, since each of the peers only speack one IPversion and
the inner IP header cannot be changed
GT> So, unless we are talking about IKE/IPSEC that somehow does NOT
cover IP-layer headers,
yes, there seems to be one of such cases, which is IPSec transport mode
the so called telecommuter scenario
it seems possible to me (whit my incredilble limited knowledge on IKE)
that this could work
So my current proposal is to require to support the teleconmuter scenario
Regards, marcelo
I do not think any solution to this exists.
But maybe I am missing something?
Regards
George