[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT64 and IPsec support




I agree that the market will decide in the end, and
personally I like the dual stack plus tunnel approach,
but we hear from the operational community that
IPv6-only nodes without dual stack need to be handled.
So, we are trying to deal with that.

However, I think we are pretty close to concluding
that a NAT64 solution can never support IPsec.

=> Agreed.

Hesham



   Brian


On 2008-04-01 16:16, Hesham Soliman wrote:

I don't think you're missing much, although I was suggesting that
by redesigning both IPsec and IKE we might find a mixed-mode
solution.

However, there is certainly an alternative to the whole NAT-PT
line of attack, which is to say that the solution is
a) all IPv6 hosts MUST be dual-stack
b) when connectivity to legacy IPv4 is required, and the host
is on an IPv6-only network, it MUST use an IPv4-in-IPv6 tunnel
c) which MAY be terminated by an IPv4 NAT, so that
the lack of IPv4 addresses is not an issue.

=> But that's effectvely where we are now. I take the above as a
suggestion to scrap the NAT-PT work.
I'm at a bit of a loss as to why we scrapped NAT-PT and why we're doing
a 180 on this decision.
Personally, I'm fine with doing the NAT-PT work and leaving it up to
deployments to decide whether it's needed.
While I do agree that almost all hosts running v6 will also run v4, I
don't think that every deployment will have enough IPv4
public or private addresses. So I think there may be a need for NAPT-PT
in the market.

Hesham



SOFTWIRE+BEHAVE

  Brian


Thanks,

 Yaron


Brian E Carpenter wrote:

Yaron,

On 2008-03-31 00:33, Yaron Sheffer wrote:

Hi Marcelo,

see my responses inline.

Thanks,
 Yaron

marcelo bagnulo wrote:

Hi Yaron,

thank you for your input, see some questions below...

Yaron Sheffer escribió:

I think we are bundling several different cases together. I will try
to enumerate the use cases, to clarify the situation a bit:

Case 1: v6-only host to v4-only host.

I don't think any IPsec solution can be crafted here.


So, in you opinion, if we have a v6 host communicating with a v4 host
a NAT64 in the middle, then they cannot communicate using IPSec,
neither transport nor tunnel mode directly between them. That
includes
doing nor ESP nor AH nor IKE, is that correct?

Yes this is correct. A NAT box cannot do anything useful to either IKE or IPsec unless it has access to the encryption keys, which would not
make sense in our case.


It seemed to me when I thought about this a few weeks ago that the
only solution would be a new form of SA specifically designed
to look like an IPv4-only SA but able to be created and checked
by a (suitably modified) IPv6-only host. And of course a similar
variant of IKE would be needed. I don't know if such variants
are possible, and they certainly require the IPv6 host to know the
pair of IPv4 addresses that the IPv4 host is using.

   Brian


Scanned by Check Point Total Security Gateway.