[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NAT64 and IPsec support
Another issue that was brought up during the meeting was IPSec support.
I have been reading RFC3948 and i have some questions.
I understand that if transport mode can work through v4 NATs using
RFC3948 UDP encapsulation and soem other tweaks defined in the RFC, then
it is reasonable to expect that the same level of support of support can
be achieved in NAT64.
so we could simply add a requirement that NAT64 mechanisms should
support the use cases supported by RFC3948.
However, i am not so clear about the tunnel mode.
In tunnel mode, we have two IP headers and the NAT64 will only translate
one of them (by default, if we don't do anything special with it).
so, the problem, is that even if the outside IP header is translated
with the NAT64 box, the inner header remains in the original IP version,
so i am wondering if this doesn't present additionla difficulties. The
option is to translate both headers, but this again will be different
than the IPv4 NAT case, since the inner header in the IPv4 NAT case
remains unchanged, while we would be changing it in this case. So i am
finding that the tunnel mode wouldn't be so directly supported using the
IPv4 NAT traversal techniques for IPSec.
However, i am not an expert on this, so i may get this completelly
wrong. any guidance on this would be appreciated