[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT64 and IPsec support



Yaron,

On 2008-03-31 00:33, Yaron Sheffer wrote:
> Hi Marcelo,
> 
> see my responses inline.
> 
> Thanks,
>    Yaron
> 
> marcelo bagnulo wrote:
>> Hi Yaron,
>>
>> thank you for your input, see some questions below...
>>
>> Yaron Sheffer escribió:
>>> I think we are bundling several different cases together. I will try
>>> to enumerate the use cases, to clarify the situation a bit:
>>>
>>> Case 1: v6-only host to v4-only host.
>>>
>>> I don't think any IPsec solution can be crafted here.
>>>
>> So, in you opinion, if we have a v6 host communicating with a v4 host
>> a NAT64 in the middle, then they cannot communicate using IPSec,
>> neither transport nor tunnel mode directly between them. That includes
>> doing nor ESP nor AH nor IKE, is that correct?
> Yes this is correct. A NAT box cannot do anything useful to either IKE
> or IPsec unless it has access to the encryption keys, which would not
> make sense in our case.

It seemed to me when I thought about this a few weeks ago that the
only solution would be a new form of SA specifically designed
to look like an IPv4-only SA but able to be created and checked
by a (suitably modified) IPv6-only host. And of course a similar
variant of IKE would be needed. I don't know if such variants
are possible, and they certainly require the IPv6 host to know the
pair of IPv4 addresses that the IPv4 host is using.

     Brian