Iljitsch van Beijnum escribió:
On 29 mrt 2008, at 11:25, marcelo bagnulo wrote:So IPSec tunnel mode, even if it is supported in v4NATs seems hard to support in NAT64, since each of the peers only speack one IPversion and the inner IP header cannot be changedBut wouldn't most hosts, even if they only have IPv6 connectivity, usually also support IPv4 in their stack during the transition period? I can imagine that constrained devices may want to drop IPv4 support but it's hard to imagine devices that are willing to run IPsec but are too constrained to support IPv4.
i may agree with the point that v6 only hosts will have an IPv4 stack, but in order to make it work, we not only need to have the v4 stack but also the v4 address, which needs to be present in the IPSec SA in the IPv4 only hosys (i.e. it is an IPv4 address that will be known by the peer)
So, if we assume that this is possible, then we are in the dual stack scenario, then we simply need a tunnel between a dual stack host and an IPv4 only host, which is not the application scenario for NAT64 imho
So, the application scenario for NAT64 seems to imply that we cannot assume IPv4 address available in the ipv6 only host
In summary, i still think that IPSec tunnel case cannot be supported in NAT64 scenario
It starts to look to me that the IPv6 side in a NAT64 scenario could possibly do everything that's needed to make IPsec work through NAT64 the same way it today works through NAT44, with only minimal cooperation from the NAT box.
i still cannot agree with that regards, marcelo
GT> So, unless we are talking about IKE/IPSEC that somehow does NOT cover IP-layer headers,yes, there seems to be one of such cases, which is IPSec transport mode the so called telecommuter scenarioNote that IPsec transport mode is rarely used in practice.