Re: NAT64 and IPsec support

[Brian E Carpenter <brian.e.carpenter@gmail.com>]

Hesham,

I agree that the market will decide in the end, and
personally I like the dual stack plus tunnel approach,
but we hear from the operational community that
IPv6-only nodes without dual stack need to be handled.
So, we are trying to deal with that.

However, I think we are pretty close to concluding
that a NAT64 solution can never support IPsec.

    Brian


On 2008-04-01 16:16, Hesham Soliman wrote:
>>
>> I don't think you're missing much, although I was suggesting that
>> by redesigning both IPsec and IKE we might find a mixed-mode
>> solution.
>>
>> However, there is certainly an alternative to the whole NAT-PT
>> line of attack, which is to say that the solution is
>> a) all IPv6 hosts MUST be dual-stack
>> b) when connectivity to legacy IPv4 is required, and the host
>> is on an IPv6-only network, it MUST use an IPv4-in-IPv6 tunnel
>> c) which MAY be terminated by an IPv4 NAT, so that
>> the lack of IPv4 addresses is not an issue.
> 
> => But that's effectvely where we are now. I take the above as a
> suggestion to scrap the NAT-PT work.
> I'm at a bit of a loss as to why we scrapped NAT-PT and why we're doing
> a 180 on this decision.
> Personally, I'm fine with doing the NAT-PT work and leaving it up to
> deployments to decide whether it's needed.
> While I do agree that almost all hosts running v6 will also run v4, I
> don't think that every deployment will have enough IPv4
> public or private addresses. So I think there may be a need for NAPT-PT
> in the market.
> 
> Hesham
> 
>>
>>
>> SOFTWIRE+BEHAVE
>>
>>    Brian
>>>
>>>
>>> Thanks,
>>>
>>>   Yaron
>>>
>>>
>>> Brian E Carpenter wrote:
>>>
>>>> Yaron,
>>>>
>>>> On 2008-03-31 00:33, Yaron Sheffer wrote:
>>>>
>>>>> Hi Marcelo,
>>>>>
>>>>> see my responses inline.
>>>>>
>>>>> Thanks,
>>>>>   Yaron
>>>>>
>>>>> marcelo bagnulo wrote:
>>>>>
>>>>>> Hi Yaron,
>>>>>>
>>>>>> thank you for your input, see some questions below...
>>>>>>
>>>>>> Yaron Sheffer escribió:
>>>>>>
>>>>>>> I think we are bundling several different cases together. I will try
>>>>>>> to enumerate the use cases, to clarify the situation a bit:
>>>>>>>
>>>>>>> Case 1: v6-only host to v4-only host.
>>>>>>>
>>>>>>> I don't think any IPsec solution can be crafted here.
>>>>>>>
>>>>>>>
>>>>>> So, in you opinion, if we have a v6 host communicating with a v4 host
>>>>>> a NAT64 in the middle, then they cannot communicate using IPSec,
>>>>>> neither transport nor tunnel mode directly between them. That
>>>>>> includes
>>>>>> doing nor ESP nor AH nor IKE, is that correct?
>>>>>>
>>>>> Yes this is correct. A NAT box cannot do anything useful to either IKE
>>>>> or IPsec unless it has access to the encryption keys, which would not
>>>>> make sense in our case.
>>>>>
>>>>
>>>> It seemed to me when I thought about this a few weeks ago that the
>>>> only solution would be a new form of SA specifically designed
>>>> to look like an IPv4-only SA but able to be created and checked
>>>> by a (suitably modified) IPv6-only host. And of course a similar
>>>> variant of IKE would be needed. I don't know if such variants
>>>> are possible, and they certainly require the IPv6 host to know the
>>>> pair of IPv4 addresses that the IPv4 host is using.
>>>>
>>>>     Brian
>>>>
>>>>
>>>> Scanned by Check Point Total Security Gateway.
>>>>
>>>>
>>>
>>
>>
> 
>