[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT64 and IPsec support

To: Yaron Sheffer <yaronf@checkpoint.com>
Subject: Re: NAT64 and IPsec support
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Mon, 31 Mar 2008 11:27:51 +1300
Cc: marcelo bagnulo <marcelo@it.uc3m.es>, Iljitsch van Beijnum <iljitsch@muada.com>, George Tsirtsis <tsirtsis@googlemail.com>, IPv6 Operations <v6ops@ops.ietf.org>, mcr@sandelman.ca, narten@us.ibm.com, dthaler@microsoft.com
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:organization:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=ocH4yf11m0R4lNI5ArBvd3HRESNvIzzxXUKwn6X3kKTSJaDVMeFMIOKNC6Aau0AebmLmYs44DSbSh466e10Ppjd+Vq5Ef4rA55QnRG50MQvqplSrZc7b7EEA4MhCISTRHM76SLXftYKZOhfzQjPaFPjOe2znt/uEReRqCGNHRYQ=
In-reply-to: <47EF7A8F.6050700@checkpoint.com>
Organization: University of Auckland
References: <47ED4397.10108@it.uc3m.es> <5DF0C845-324F-41F8-838C-D92414D8AE7F@muada.com> <d3886a520803290314u49faf7cex440cfa44c24516c9@mail.gmail.com> <47EE191D.4040806@it.uc3m.es> <7A333CA9-EF6F-4D70-B854-A25E0FECBA08@muada.com> <47EE7279.50109@it.uc3m.es> <47EF3683.3030200@checkpoint.com> <47EF5847.7030706@it.uc3m.es> <47EF7A8F.6050700@checkpoint.com>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

Yaron,

On 2008-03-31 00:33, Yaron Sheffer wrote:
> Hi Marcelo,
> 
> see my responses inline.
> 
> Thanks,
>    Yaron
> 
> marcelo bagnulo wrote:
>> Hi Yaron,
>>
>> thank you for your input, see some questions below...
>>
>> Yaron Sheffer escribió:
>>> I think we are bundling several different cases together. I will try
>>> to enumerate the use cases, to clarify the situation a bit:
>>>
>>> Case 1: v6-only host to v4-only host.
>>>
>>> I don't think any IPsec solution can be crafted here.
>>>
>> So, in you opinion, if we have a v6 host communicating with a v4 host
>> a NAT64 in the middle, then they cannot communicate using IPSec,
>> neither transport nor tunnel mode directly between them. That includes
>> doing nor ESP nor AH nor IKE, is that correct?
> Yes this is correct. A NAT box cannot do anything useful to either IKE
> or IPsec unless it has access to the encryption keys, which would not
> make sense in our case.

It seemed to me when I thought about this a few weeks ago that the
only solution would be a new form of SA specifically designed
to look like an IPv4-only SA but able to be created and checked
by a (suitably modified) IPv6-only host. And of course a similar
variant of IKE would be needed. I don't know if such variants
are possible, and they certainly require the IPv6 host to know the
pair of IPv4 addresses that the IPv4 host is using.

     Brian

Follow-Ups:
- Re: NAT64 and IPsec support
  - From: Yaron Sheffer <yaronf@checkpoint.com>

References:
- NAT64 and IPsec support
  - From: marcelo bagnulo <marcelo@it.uc3m.es>
- Re: NAT64 and IPsec support
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: NAT64 and IPsec support
  - From: "George Tsirtsis" <tsirtsis@googlemail.com>
- Re: NAT64 and IPsec support
  - From: marcelo bagnulo <marcelo@it.uc3m.es>
- Re: NAT64 and IPsec support
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: NAT64 and IPsec support
  - From: marcelo bagnulo <marcelo@it.uc3m.es>
- Re: NAT64 and IPsec support
  - From: Yaron Sheffer <yaronf@checkpoint.com>
- Re: NAT64 and IPsec support
  - From: marcelo bagnulo <marcelo@it.uc3m.es>
- Re: NAT64 and IPsec support
  - From: Yaron Sheffer <yaronf@checkpoint.com>

Prev by Date: Re: NAT64 and ICMP
Next by Date: Re: NAT64 and IPsec support
Previous by thread: Re: NAT64 and IPsec support
Next by thread: Re: NAT64 and IPsec support
Index(es):
- Date
- Thread