[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT64 and IPsec support
On 28 mrt 2008, at 20:14, marcelo bagnulo wrote:
Another issue that was brought up during the meeting was IPSec
I have been reading RFC3948 and i have some questions.
I understand that if transport mode can work through v4 NATs using
RFC3948 UDP encapsulation and soem other tweaks defined in the RFC,
then it is reasonable to expect that the same level of support of
support can be achieved in NAT64.
so we could simply add a requirement that NAT64 mechanisms should
support the use cases supported by RFC3948.
Ok, this is all easy enough (and should equally apply to both tunnel
and transport mode), except that RFC 3948 doesn't really mention IKE,
which I think needs to be changed to support NAT64 or NAT46. Question
to the IPsec experts: would it be possible to have the updated IKE
implementation on just one end (presumably the v6 end) where the other
end thinks it just sees regular NAT44?
In tunnel mode, we have two IP headers and the NAT64 will only
translate one of them (by default, if we don't do anything special
so, the problem, is that even if the outside IP header is
translated with the NAT64 box, the inner header remains in the
original IP version, so i am wondering if this doesn't present
additionla difficulties. The option is to translate both headers
The inner header is encrypted and/or protected by a HMAC so
translating it is not possible. However: there are two possibilities:
1. The inner header is IPv6. In that case, it seems reasonable that
IPv6 could also be used for the outer header so the issue is moot
2. The inner header is IPv4. In that case, no translation is required
so the issue is also moot