[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A slightly more detailed analysis Re: NAT64 and IPsec support

To: marcelo bagnulo <marcelo@it.uc3m.es>
Subject: Re: A slightly more detailed analysis Re: NAT64 and IPsec support
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Wed, 2 Apr 2008 17:01:15 +0200
Cc: George Tsirtsis <tsirtsis@googlemail.com>, IPv6 Operations <v6ops@ops.ietf.org>, mcr@sandelman.ca, narten@us.ibm.com, dthaler@microsoft.com
In-reply-to: <47F2573B.3000909@it.uc3m.es>
References: <d3886a520804010246v61801e88o8b44fafcdf094bd1@mail.gmail.com> <47F23BA6.8070802@it.uc3m.es> <d3886a520804010654y2867aaebxc484c1411ab564e@mail.gmail.com> <47F2573B.3000909@it.uc3m.es>

On 1 apr 2008, at 17:39, marcelo bagnulo wrote:

> I think this conclusively renders "IPSEC over NAT64 forunmodified end
> nodes" unrealistic. Any disagrees with that?


Right.

So i am planning to NOT to include a basic requirement abou anyform of
IPSec support wihtout endpoint support, ok?

I agree with that. We can encourage translator builders to look atRFCs 3947 and 3948 (IKE and ESP through NAT, respectively) so they canbe sure they don't break those, but apart from that it looks like thetranslator isn't in the position to help or hurt IPsec support.

GT> No, Marcelo, what I describe above applies to BOTH!. Rememberthat

when you do UDP/IP based NAT traversal, IPSEC applies to whatever you
send OVER the unprotected UDP/IP tunnel. So, on top of UDP/IP you can
run either  transport or tunnel mode IPSEC. Both have problems IMO.

right, i was confused about this, i agree with you

Hm, I think there are several ways to make it work, in addition tocountless ways that can't work. Two examples of the former:


A -- T -- B

A is a host with an IPv6/IPv4 stack but only IPv6 connectivity
T is the translator
B is an IPv4 host

In this case, A pretty much has to act like it has IPv4-behind-NAT andpresent an RFC 1918 address in IKE towards B, and then subsequentlygenerate segments (transport mode) or packets (tunnel mode) that makesense as IPv4, then put those in ESP, UDP and IPv6 and send them to Bthrough the translator. B doesn't have to know about any of this.


A -- T --S -- U -- B

A is a host with an IPv6/IPv4 stack but only IPv6 connectivity
T is the translator in the service provider network
S is a dual stack security gateway that terminates IPsec
U is a translator part of B's network
B is an IPv4 host

In this scenario A can negotiate inner IPv6 headers with S but thismeans both S and A must be updated. The inner packets are thentranslated again for consumption by B.

IPSec MUST be supported but modifications to the endpoints may beneeded.


No, MUST is too strong.

So my question is: is is possible to support IPSec with onlymodifying the v6 side and keeping the v4 side untouched? from youdescription above it seems to me that it would be possible (i guessthat the v4 side needs to implement rfc3948, right?)


I think so, yes. See above.

Follow-Ups:
- Re: A slightly more detailed analysis Re: NAT64 and IPsec support
  - From: "George Tsirtsis" <tsirtsis@googlemail.com>

References:
- A slightly more detailed analysis Re: NAT64 and IPsec support
  - From: "George Tsirtsis" <tsirtsis@googlemail.com>
- Re: A slightly more detailed analysis Re: NAT64 and IPsec support
  - From: marcelo bagnulo <marcelo@it.uc3m.es>
- Re: A slightly more detailed analysis Re: NAT64 and IPsec support
  - From: marcelo bagnulo <marcelo@it.uc3m.es>

Prev by Date: Re: A slightly more detailed analysis Re: NAT64 and IPsec support
Next by Date: Re: A slightly more detailed analysis Re: NAT64 and IPsec support
Previous by thread: Re: A slightly more detailed analysis Re: NAT64 and IPsec support
Next by thread: Re: A slightly more detailed analysis Re: NAT64 and IPsec support
Index(es):
- Date
- Thread