I don't think you're missing much, although I was suggesting that by redesigning both IPsec and IKE we might find a mixed-mode solution. However, there is certainly an alternative to the whole NAT-PT line of attack, which is to say that the solution is a) all IPv6 hosts MUST be dual-stack b) when connectivity to legacy IPv4 is required, and the host is on an IPv6-only network, it MUST use an IPv4-in-IPv6 tunnel c) which MAY be terminated by an IPv4 NAT, so that the lack of IPv4 addresses is not an issue.
=> But that's effectvely where we are now. I take the above as a suggestion to scrap the NAT-PT work. I'm at a bit of a loss as to why we scrapped NAT-PT and why we're doing a 180 on this decision. Personally, I'm fine with doing the NAT-PT work and leaving it up to deployments to decide whether it's needed. While I do agree that almost all hosts running v6 will also run v4, I don't think that every deployment will have enough IPv4 public or private addresses. So I think there may be a need for NAPT- PT in the market.
Hesham
SOFTWIRE+BEHAVE BrianThanks, Yaron Brian E Carpenter wrote:Yaron, On 2008-03-31 00:33, Yaron Sheffer wrote:Hi Marcelo, see my responses inline. Thanks, Yaron marcelo bagnulo wrote:Yes this is correct. A NAT box cannot do anything useful to either IKE or IPsec unless it has access to the encryption keys, which would notHi Yaron, thank you for your input, see some questions below... Yaron Sheffer escribió:I think we are bundling several different cases together. I will trySo, in you opinion, if we have a v6 host communicating with a v4 hostto enumerate the use cases, to clarify the situation a bit: Case 1: v6-only host to v4-only host. I don't think any IPsec solution can be crafted here.a NAT64 in the middle, then they cannot communicate using IPSec,neither transport nor tunnel mode directly between them. That includesdoing nor ESP nor AH nor IKE, is that correct?make sense in our case.It seemed to me when I thought about this a few weeks ago that the only solution would be a new form of SA specifically designed to look like an IPv4-only SA but able to be created and checked by a (suitably modified) IPv6-only host. And of course a similar variant of IKE would be needed. I don't know if such variants are possible, and they certainly require the IPv6 host to know the pair of IPv4 addresses that the IPv4 host is using. Brian Scanned by Check Point Total Security Gateway.