[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT64 and IPsec support

To: Yaron Sheffer <yaronf@checkpoint.com>
Subject: Re: NAT64 and IPsec support
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Mon, 31 Mar 2008 14:59:57 +0200
Cc: marcelo bagnulo <marcelo@it.uc3m.es>, George Tsirtsis <tsirtsis@googlemail.com>, IPv6 Operations <v6ops@ops.ietf.org>, mcr@sandelman.ca, narten@us.ibm.com, dthaler@microsoft.com
In-reply-to: <47EF7A8F.6050700@checkpoint.com>
References: <47ED4397.10108@it.uc3m.es> <5DF0C845-324F-41F8-838C-D92414D8AE7F@muada.com> <d3886a520803290314u49faf7cex440cfa44c24516c9@mail.gmail.com> <47EE191D.4040806@it.uc3m.es> <7A333CA9-EF6F-4D70-B854-A25E0FECBA08@muada.com> <47EE7279.50109@it.uc3m.es> <47EF3683.3030200@checkpoint.com> <47EF5847.7030706@it.uc3m.es> <47EF7A8F.6050700@checkpoint.com>

On 30 mrt 2008, at 13:33, Yaron Sheffer wrote:

In this case you could envision NAT64 happening on the host (!)which creates an IPv4-IPsec tunnel with its peer, encapsulates itin UDP and sends it into the IPv6 network.

right, but this not only requires v4 stack in the v6only node(which would be ok, since as you say it seems this will be a commoncase for a while) but it also requires to provision a valid IPv4address to the v6 only node and that address is not purely local,since it will be the v4 address the v4 only node has in its IPSecSA, right?So, even i agree this is possible i am not sure this is sointeresting

Actually we commonly provision such addresses to IPv4 clients today,*inside* the IPsec tunnel. They are known as "Tunnel Inner Address(TIA)". But I think I got this case wrong: you end up with a v4packet, which you want to send to a v4 host, through a v6-onlynetwork. It sounds more like tunneling than NAT.

What you have here is IPv4 packets that you tunnel, where one tunnelendpoint is IPv4 and the other is IPv6. So this requires translationof the outer header, bringing us back into NAT-PT territory.

If IKE NAT traversal (RFC 3947) is supported on the v4 side the v6side can create a fake private IPv4 address and signal this as its"real" address and everything should work. Basically, in this case thev6 host needs to act like an IPv4 host. This isn't entirely trivialbut I don't see any reason why it couldn't be done if IPsec over NAT-PT is desired over IPsec over IPv6.

Follow-Ups:
- Re: NAT64 and IPsec support
  - From: "George Tsirtsis" <tsirtsis@googlemail.com>

References:
- NAT64 and IPsec support
  - From: marcelo bagnulo <marcelo@it.uc3m.es>
- Re: NAT64 and IPsec support
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: NAT64 and IPsec support
  - From: "George Tsirtsis" <tsirtsis@googlemail.com>
- Re: NAT64 and IPsec support
  - From: marcelo bagnulo <marcelo@it.uc3m.es>
- Re: NAT64 and IPsec support
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: NAT64 and IPsec support
  - From: marcelo bagnulo <marcelo@it.uc3m.es>
- Re: NAT64 and IPsec support
  - From: Yaron Sheffer <yaronf@checkpoint.com>
- Re: NAT64 and IPsec support
  - From: marcelo bagnulo <marcelo@it.uc3m.es>
- Re: NAT64 and IPsec support
  - From: Yaron Sheffer <yaronf@checkpoint.com>

Prev by Date: Re: Support for other protocols
Next by Date: Re: NAT64 and IPsec support
Previous by thread: Re: NAT64 and IPsec support
Next by thread: Re: NAT64 and IPsec support
Index(es):
- Date
- Thread