[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT64 and IPsec support

To: Yaron Sheffer <yaronf@checkpoint.com>
Subject: Re: NAT64 and IPsec support
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Tue, 01 Apr 2008 15:32:33 +1300
Cc: marcelo bagnulo <marcelo@it.uc3m.es>, Iljitsch van Beijnum <iljitsch@muada.com>, George Tsirtsis <tsirtsis@googlemail.com>, IPv6 Operations <v6ops@ops.ietf.org>, mcr@sandelman.ca, narten@us.ibm.com, dthaler@microsoft.com
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:organization:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=iFsj2k6vEnjXs/OiO64b14Q9DTE66SVwdezqljaBkRyUcD8Nnamz+2xVs7/x9+h0kwlAyx/f7ybJOQmt5ncPSXnDmWRkHf5Oe2vkuKMSd7Nkqaz6KeRk3YQeIuwbGSN6zJ81qrD/h21SOUFygnXxFzovYtI3RmfaD40ANQAeOHo=
In-reply-to: <47F1149F.6070401@checkpoint.com>
Organization: University of Auckland
References: <47ED4397.10108@it.uc3m.es> <5DF0C845-324F-41F8-838C-D92414D8AE7F@muada.com> <d3886a520803290314u49faf7cex440cfa44c24516c9@mail.gmail.com> <47EE191D.4040806@it.uc3m.es> <7A333CA9-EF6F-4D70-B854-A25E0FECBA08@muada.com> <47EE7279.50109@it.uc3m.es> <47EF3683.3030200@checkpoint.com> <47EF5847.7030706@it.uc3m.es> <47EF7A8F.6050700@checkpoint.com> <47F013E7.6040909@gmail.com> <47F1149F.6070401@checkpoint.com>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

On 2008-04-01 05:43, Yaron Sheffer wrote:
> Hi Brian,
> 
> 
> please see my earlier response to George. This really hinges on the
> exact functionality assumed on the v6 host. What I don't understand is,
> once you decrypt IPsec traffic which was originated by a v4 host, you
> are getting honest-to-God IPv4 packets. There is no magic that will
> convert encrypted packets from IPv4 to IPv6 in flight. So you need a v4
> stack to deal with these packets, it's not just a matter of
> understanding IPv4 addresses. What am I missing?

I don't think you're missing much, although I was suggesting that
by redesigning both IPsec and IKE we might find a mixed-mode
solution.

However, there is certainly an alternative to the whole NAT-PT
line of attack, which is to say that the solution is
a) all IPv6 hosts MUST be dual-stack
b) when connectivity to legacy IPv4 is required, and the host
is on an IPv6-only network, it MUST use an IPv4-in-IPv6 tunnel
c) which MAY be terminated by an IPv4 NAT, so that
the lack of IPv4 addresses is not an issue.

SOFTWIRE+BEHAVE

    Brian
> 
> 
> Thanks,
> 
>    Yaron
> 
> 
> Brian E Carpenter wrote:
> 
>> Yaron,
>>
>> On 2008-03-31 00:33, Yaron Sheffer wrote:
>>  
>>> Hi Marcelo,
>>>
>>> see my responses inline.
>>>
>>> Thanks,
>>>    Yaron
>>>
>>> marcelo bagnulo wrote:
>>>    
>>>> Hi Yaron,
>>>>
>>>> thank you for your input, see some questions below...
>>>>
>>>> Yaron Sheffer escribió:
>>>>      
>>>>> I think we are bundling several different cases together. I will try
>>>>> to enumerate the use cases, to clarify the situation a bit:
>>>>>
>>>>> Case 1: v6-only host to v4-only host.
>>>>>
>>>>> I don't think any IPsec solution can be crafted here.
>>>>>
>>>>>         
>>>> So, in you opinion, if we have a v6 host communicating with a v4 host
>>>> a NAT64 in the middle, then they cannot communicate using IPSec,
>>>> neither transport nor tunnel mode directly between them. That includes
>>>> doing nor ESP nor AH nor IKE, is that correct?
>>>>       
>>> Yes this is correct. A NAT box cannot do anything useful to either IKE
>>> or IPsec unless it has access to the encryption keys, which would not
>>> make sense in our case.
>>>     
>>
>> It seemed to me when I thought about this a few weeks ago that the
>> only solution would be a new form of SA specifically designed
>> to look like an IPv4-only SA but able to be created and checked
>> by a (suitably modified) IPv6-only host. And of course a similar
>> variant of IKE would be needed. I don't know if such variants
>> are possible, and they certainly require the IPv6 host to know the
>> pair of IPv4 addresses that the IPv4 host is using.
>>
>>      Brian
>>
>>
>> Scanned by Check Point Total Security Gateway.
>>
>>   
>

Follow-Ups:
- Re: NAT64 and IPsec support
  - From: Hesham Soliman <hesham@elevatemobile.com>

References:
- NAT64 and IPsec support
  - From: marcelo bagnulo <marcelo@it.uc3m.es>
- Re: NAT64 and IPsec support
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: NAT64 and IPsec support
  - From: "George Tsirtsis" <tsirtsis@googlemail.com>
- Re: NAT64 and IPsec support
  - From: marcelo bagnulo <marcelo@it.uc3m.es>
- Re: NAT64 and IPsec support
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: NAT64 and IPsec support
  - From: marcelo bagnulo <marcelo@it.uc3m.es>
- Re: NAT64 and IPsec support
  - From: Yaron Sheffer <yaronf@checkpoint.com>
- Re: NAT64 and IPsec support
  - From: marcelo bagnulo <marcelo@it.uc3m.es>
- Re: NAT64 and IPsec support
  - From: Yaron Sheffer <yaronf@checkpoint.com>
- Re: NAT64 and IPsec support
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Re: NAT64 and IPsec support
  - From: Yaron Sheffer <yaronf@checkpoint.com>

Prev by Date: Re: NAT64 and IPsec support
Next by Date: Re: NAT64 and IPsec support
Previous by thread: Re: NAT64 and IPsec support
Next by thread: Re: NAT64 and IPsec support
Index(es):
- Date
- Thread