[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

A slightly more detailed analysis Re: NAT64 and IPsec support



Marcelo et.al.,

So, I looked into this in a bit more detail. Admittedly I am not a
security expert but I do not think you have to be one to figure this
out at least to some level.

- First in terms of unmodified end nodes:

RFC2765 (SIIT) claims that ESP Transport mode can work over it. This
appears to be true given the fact that ESP Transport mode as defined
in RFC4303 only covers the headers following the ESP header; see
diagrams in pages 18/19 of RFC4303.

Note, however, that while ESP Transport mode does not cover IP
headers, it does cover Transport and higher headers, so it is NOT
possible to perform port translation or to do an ALG processing. So
SIIT assumes that NO port translation is going on and each IPv6 only
node is using all the ports of each IPv4 address available to the SIIT
box. This requires as a minimum, one IPv4 address for each IPv6 end
node in a concurrent communication session, and it is the reason why
NAT-PT had to also exist.

I think this conclusively renders "IPSEC over NAT64 for unmodified end
nodes" unrealistic. Any disagrees with that?

- Now about modified end nodes:

As we discussed before RFC3948 works based on UDP encapsulation which
has become the default v4NAT traversal technique. The premise for this
type of solution is that by encapsulating the traffic we can limit the
effects of translation to the encapsulation header, leaving the inner
header untouched. I think this is not sufficient when IPv6-only nodes
interact with IPv4-only nodes since no matter what encapsulation we do
in the end there is no way for the two peers to form IP headers of the
same version and use them as untouched inner headers.

This seems like a dead-end but there is an avenue some people seem to
want to explore. This would require one of the peers (presumably the
IPv6-only side) to be able to put together an IPv4 header and apply
ESP style encapsulation, even if it does not run a full IPv4 stack.
In this case, at least in theory, the two peers can then form a
session based on the same version of IP. I think then there are two
possibilities to explore:

1) An IPv6 tunnel is created between the IPv6-only end node and the
NAT64 box. The IPv4 session is then encapsulated over it and it is
protected by IPSEC as required. This means that the IPv6 end node
knows the external IPv4 address of NAT64 box and the port number to
use.

2) A UDP/IP tunnel is created end to end ala RFC3968. Of course this
means that the IPv6-only node does UDP/IPv6, which is then translated
to UDP/IPv4 by NAT64. The IPv4 session is then encapsulated over it
and it is protected by IPSEC as required. This means that the source
IPv4 address and port numbers used by the IPv6-only node in the inner
headers will have to be valid and non-overlapping at the IPv4-only
side too.

In both of the above cases IKEv2 will still have to be looked at and
see if there is any hope of making that work over NAT64. Making this
work for incoming communication is of course even harder. In general,
both options present serious challenges which if they are overcome
something resembling end to end IPSEC could in theory emerge.

My personal opinion, for whatever it is worth, is that this is not a
good road to go down, but maybe defining something like this in more
detail to see how awful it really is, is still useful. We can always
discard it later.

Maybe there are also other alternatives I am missing here in which
case it would be nice to hear about them.

Regards
George


On Fri, Mar 28, 2008 at 8:14 PM, marcelo bagnulo <marcelo@it.uc3m.es> wrote:
> Hi,
>
>  Another issue that was brought up during the meeting was IPSec support.
>  I have been reading RFC3948 and i have some questions.
>  I understand that if transport mode can work through v4 NATs using
>  RFC3948 UDP encapsulation and soem other tweaks defined in the RFC, then
>  it is reasonable to expect that the same level of support of support can
>  be achieved in NAT64.
>  so we could simply add a requirement that NAT64 mechanisms should
>  support the use cases supported by RFC3948.
>
>  However, i am not so clear about the tunnel mode.
>  In tunnel mode, we have two IP headers and the NAT64 will only translate
>  one of them (by default, if we don't do anything special with it).
>  so, the problem, is that even if the outside IP  header is translated
>  with the NAT64 box, the inner header remains in the original IP version,
>  so i am wondering if this doesn't present additionla difficulties. The
>  option is to translate both headers, but this again will be different
>  than the IPv4 NAT case, since the inner header in the IPv4 NAT case
>  remains unchanged, while we would be changing it in this case. So i am
>  finding that the tunnel mode wouldn't be so directly supported using the
>  IPv4 NAT traversal techniques for IPSec.
>
>  However, i am not an expert on this, so i may get this completelly
>  wrong. any guidance on this would be appreciated
>
>  Regards, marcelo
>
>
>