[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT64 and IPsec support
On 2008-04-01 05:43, Yaron Sheffer wrote:
> Hi Brian,
>
>
> please see my earlier response to George. This really hinges on the
> exact functionality assumed on the v6 host. What I don't understand is,
> once you decrypt IPsec traffic which was originated by a v4 host, you
> are getting honest-to-God IPv4 packets. There is no magic that will
> convert encrypted packets from IPv4 to IPv6 in flight. So you need a v4
> stack to deal with these packets, it's not just a matter of
> understanding IPv4 addresses. What am I missing?
I don't think you're missing much, although I was suggesting that
by redesigning both IPsec and IKE we might find a mixed-mode
solution.
However, there is certainly an alternative to the whole NAT-PT
line of attack, which is to say that the solution is
a) all IPv6 hosts MUST be dual-stack
b) when connectivity to legacy IPv4 is required, and the host
is on an IPv6-only network, it MUST use an IPv4-in-IPv6 tunnel
c) which MAY be terminated by an IPv4 NAT, so that
the lack of IPv4 addresses is not an issue.
SOFTWIRE+BEHAVE
Brian
>
>
> Thanks,
>
> Yaron
>
>
> Brian E Carpenter wrote:
>
>> Yaron,
>>
>> On 2008-03-31 00:33, Yaron Sheffer wrote:
>>
>>> Hi Marcelo,
>>>
>>> see my responses inline.
>>>
>>> Thanks,
>>> Yaron
>>>
>>> marcelo bagnulo wrote:
>>>
>>>> Hi Yaron,
>>>>
>>>> thank you for your input, see some questions below...
>>>>
>>>> Yaron Sheffer escribió:
>>>>
>>>>> I think we are bundling several different cases together. I will try
>>>>> to enumerate the use cases, to clarify the situation a bit:
>>>>>
>>>>> Case 1: v6-only host to v4-only host.
>>>>>
>>>>> I don't think any IPsec solution can be crafted here.
>>>>>
>>>>>
>>>> So, in you opinion, if we have a v6 host communicating with a v4 host
>>>> a NAT64 in the middle, then they cannot communicate using IPSec,
>>>> neither transport nor tunnel mode directly between them. That includes
>>>> doing nor ESP nor AH nor IKE, is that correct?
>>>>
>>> Yes this is correct. A NAT box cannot do anything useful to either IKE
>>> or IPsec unless it has access to the encryption keys, which would not
>>> make sense in our case.
>>>
>>
>> It seemed to me when I thought about this a few weeks ago that the
>> only solution would be a new form of SA specifically designed
>> to look like an IPv4-only SA but able to be created and checked
>> by a (suitably modified) IPv6-only host. And of course a similar
>> variant of IKE would be needed. I don't know if such variants
>> are possible, and they certainly require the IPv6 host to know the
>> pair of IPv4 addresses that the IPv4 host is using.
>>
>> Brian
>>
>>
>> Scanned by Check Point Total Security Gateway.
>>
>>
>