On 29 mrt 2008, at 11:25, marcelo bagnulo wrote:
So IPSec tunnel mode, even if it is supported in v4NATs seems hard to support in NAT64, since each of the peers only speack one IPversion and the inner IP header cannot be changed
But wouldn't most hosts, even if they only have IPv6 connectivity, usually also support IPv4 in their stack during the transition period? I can imagine that constrained devices may want to drop IPv4 support but it's hard to imagine devices that are willing to run IPsec but are too constrained to support IPv4.
It starts to look to me that the IPv6 side in a NAT64 scenario could possibly do everything that's needed to make IPsec work through NAT64 the same way it today works through NAT44, with only minimal cooperation from the NAT box.
GT> So, unless we are talking about IKE/IPSEC that somehow does NOT cover IP-layer headers,
yes, there seems to be one of such cases, which is IPSec transport mode the so called telecommuter scenario
Note that IPsec transport mode is rarely used in practice.