[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT64 and IPsec support
Hi Marcelo,
see my responses inline.
Thanks,
Yaron
marcelo bagnulo wrote:
Hi Yaron,
thank you for your input, see some questions below...
Yaron Sheffer escribió:
I think we are bundling several different cases together. I will try
to enumerate the use cases, to clarify the situation a bit:
Case 1: v6-only host to v4-only host.
I don't think any IPsec solution can be crafted here.
So, in you opinion, if we have a v6 host communicating with a v4 host
a NAT64 in the middle, then they cannot communicate using IPSec,
neither transport nor tunnel mode directly between them. That includes
doing nor ESP nor AH nor IKE, is that correct?
Yes this is correct. A NAT box cannot do anything useful to either IKE
or IPsec unless it has access to the encryption keys, which would not
make sense in our case.
Case 2: one IPsec gateway (a common remote-access deployment).
v6-only host ==== (v6-only connectivity) === (optional v4 network)
==== IPsec Gateway ======== v4-only host
We can use normal IPv6 IPsec in tunnel mode between the v6 host and
the gateway, followed by NAT64 on the v4 side.
but this doesn't involves the NAT64 box at all, i guess. So, even if
this is a usefull case, this is transparent to the NAT64 box imho
Yes, it should "just work".
I'm not sure what the gateway will do if we also have NAT64 on the
left-hand side and IPsec traffic is then encapsulated in UDP/IPv4. We
might need to require IPsec peers to allow this situation. Note that
in this sub-case, the encrypted traffic is never touched, only the
UDP encapsulation is.
Ok, so in this case we would have two NAT64 boxes, right?
One for inner header and other for the outer header, but the thing is
that the inner header is performed AFTER the IPSec validation has been
preformed. This may be interesting indeed. Still i think this is
transparent to the NAT64 box right?
I'm not sure. The left-hand side NAT64 box (between the v6 network and
the v4 network) would need to convert IPv6 IPsec traffic, which is not
specifically UDP or TCP into IPv4 traffic. This is not required in the
problem statement, AFAICT.
Case 3: two IPsec gateways (site-to-site VPN):
v6-only host ==== IPsec GW ==== (v6 and/or v4 connectivity) ====
IPsec GW ====== v4-only host
Here you can do NAT64 either on the v6 or the v4 side, assuming both
are mixed networks, and we'd better recommend which one we prefer.
IPsec here is definitely tunnel mode.
so here we could have a NAT64 box between the two IPSec GW?
I mean is it possible that the IPSec GW are one v6 only and the other
one IPv4 only?
No (sorry I wasn't clear). You can have the box either to the left of
the left-hand GW, or to the right of the right-hand GW. As for the hosts
in case #1, you cannot have a v4-only GW talk to a v6-only GW.
Case 4: dual stack host with v6-only connectivity. Yes this is
perverse, but it may actually be common for a while.
In this case you could envision NAT64 happening on the host (!) which
creates an IPv4-IPsec tunnel with its peer, encapsulates it in UDP
and sends it into the IPv6 network.
right, but this not only requires v4 stack in the v6only node (which
would be ok, since as you say it seems this will be a common case for
a while) but it also requires to provision a valid IPv4 address to the
v6 only node and that address is not purely local, since it will be
the v4 address the v4 only node has in its IPSec SA, right?
So, even i agree this is possible i am not sure this is so interesting
Actually we commonly provision such addresses to IPv4 clients today,
*inside* the IPsec tunnel. They are known as "Tunnel Inner Address
(TIA)". But I think I got this case wrong: you end up with a v4 packet,
which you want to send to a v4 host, through a v6-only network. It
sounds more like tunneling than NAT.
Thanks, marcelo
Thanks,
Yaron
marcelo bagnulo wrote:
Iljitsch van Beijnum escribió:
On 29 mrt 2008, at 11:25, marcelo bagnulo wrote:
So IPSec tunnel mode, even if it is supported in v4NATs seems hard
to support in NAT64, since each of the peers only speack one
IPversion and the inner IP header cannot be changed
But wouldn't most hosts, even if they only have IPv6 connectivity,
usually also support IPv4 in their stack during the transition
period? I can imagine that constrained devices may want to drop
IPv4 support but it's hard to imagine devices that are willing to
run IPsec but are too constrained to support IPv4.
i may agree with the point that v6 only hosts will have an IPv4
stack, but in order to make it work, we not only need to have the v4
stack but also the v4 address, which needs to be present in the
IPSec SA in the IPv4 only hosys (i.e. it is an IPv4 address that
will be known by the peer)
So, if we assume that this is possible, then we are in the dual
stack scenario, then we simply need a tunnel between a dual stack
host and an IPv4 only host, which is not the application scenario
for NAT64 imho
So, the application scenario for NAT64 seems to imply that we cannot
assume IPv4 address available in the ipv6 only host
In summary, i still think that IPSec tunnel case cannot be supported
in NAT64 scenario
It starts to look to me that the IPv6 side in a NAT64 scenario
could possibly do everything that's needed to make IPsec work
through NAT64 the same way it today works through NAT44, with only
minimal cooperation from the NAT box.
i still cannot agree with that
regards, marcelo
GT> So, unless we are talking about IKE/IPSEC that somehow does NOT
cover IP-layer headers,
yes, there seems to be one of such cases, which is IPSec transport
mode the so called telecommuter scenario
Note that IPsec transport mode is rarely used in practice.
Scanned by Check Point Total Security Gateway.
Scanned by Check Point Total Security Gateway.