Re: NAT64 and IPsec support

[marcelo bagnulo <marcelo@it.uc3m.es>]

> GT> But then the NAT64 box is irrelevant.
> The only thing we have to make sure for both of these cases is that
> NAT64 does not interfere with native IPv4 and native IPv6 traffic.
>
> GT> The only question in my mind that is relevant to the NAT64
> discussions, is whether IKE/IPSEC, can work between an IPv6only node
> and an IPv4only node. 
exactly!

> IMHO there is something perverse about expecting
> such a thing to work and I would just forget about it.
>
>   
well, it seems that people expect that things that work on a regular 
v4NAT shoudl also work in NAT64, so i would like to see if we can 
require that.
Some flavors of IPSec does work through v4NATs. see RFC3948

> GT> Note that in IPv4NAT, one can tunnel over it, meaning that NATv4
> is applied only on the (non-secured) tunnel header and the inner
> header can be IPSECed with no problems. When the two peers do not
> speak the same IP version, however, such an approach does not help
> i.e., all IP-layer headers will require translation which will always
> break IPSEC
>
>   
that is exactly my point
So IPSec tunnel mode, even if it is supported in v4NATs seems hard to 
support in NAT64, since each of the peers only speack one IPversion and 
the inner IP header cannot be changed

> GT> So, unless we are talking about IKE/IPSEC that somehow does NOT
> cover IP-layer headers, 
yes, there seems to be one of such cases, which is IPSec transport mode 
the so called telecommuter scenario

it seems possible to me (whit my incredilble limited knowledge on IKE) 
that this could work

So my current proposal is to require to support the teleconmuter scenario

Regards, marcelo

> I do not think any solution to this exists.
> But maybe I am missing something?
>
>   


> Regards
> George
>
>