[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT64 and IPsec support



Hi Brian,


please see my earlier response to George. This really hinges on the exact functionality assumed on the v6 host. What I don't understand is, once you decrypt IPsec traffic which was originated by a v4 host, you are getting honest-to-God IPv4 packets. There is no magic that will convert encrypted packets from IPv4 to IPv6 in flight. So you need a v4 stack to deal with these packets, it's not just a matter of understanding IPv4 addresses. What am I missing?


Thanks,

    Yaron


Brian E Carpenter wrote:

Yaron,

On 2008-03-31 00:33, Yaron Sheffer wrote:
  
Hi Marcelo,

see my responses inline.

Thanks,
   Yaron

marcelo bagnulo wrote:
    
Hi Yaron,

thank you for your input, see some questions below...

Yaron Sheffer escribió:
      
I think we are bundling several different cases together. I will try
to enumerate the use cases, to clarify the situation a bit:

Case 1: v6-only host to v4-only host.

I don't think any IPsec solution can be crafted here.

        
So, in you opinion, if we have a v6 host communicating with a v4 host
a NAT64 in the middle, then they cannot communicate using IPSec,
neither transport nor tunnel mode directly between them. That includes
doing nor ESP nor AH nor IKE, is that correct?
      
Yes this is correct. A NAT box cannot do anything useful to either IKE
or IPsec unless it has access to the encryption keys, which would not
make sense in our case.
    

It seemed to me when I thought about this a few weeks ago that the
only solution would be a new form of SA specifically designed
to look like an IPv4-only SA but able to be created and checked
by a (suitably modified) IPv6-only host. And of course a similar
variant of IKE would be needed. I don't know if such variants
are possible, and they certainly require the IPv6 host to know the
pair of IPv4 addresses that the IPv4 host is using.

     Brian


Scanned by Check Point Total Security Gateway.