Re: NAT64 and IPsec support

[Hesham Soliman <hesham@elevatemobile.com>]

> I agree that the market will decide in the end, and
> personally I like the dual stack plus tunnel approach,
> but we hear from the operational community that
> IPv6-only nodes without dual stack need to be handled.
> So, we are trying to deal with that.
>
> However, I think we are pretty close to concluding
> that a NAT64 solution can never support IPsec.

=> Agreed.

Hesham

>    Brian
>
>
> On 2008-04-01 16:16, Hesham Soliman wrote:
> > > I don't think you're missing much, although I was suggesting that
> > > by redesigning both IPsec and IKE we might find a mixed-mode
> > > solution.
> > >
> > > However, there is certainly an alternative to the whole NAT-PT
> > > line of attack, which is to say that the solution is
> > > a) all IPv6 hosts MUST be dual-stack
> > > b) when connectivity to legacy IPv4 is required, and the host
> > > is on an IPv6-only network, it MUST use an IPv4-in-IPv6 tunnel
> > > c) which MAY be terminated by an IPv4 NAT, so that
> > > the lack of IPv4 addresses is not an issue.
> >
> > => But that's effectvely where we are now. I take the above as a
> > suggestion to scrap the NAT-PT work.
> > I'm at a bit of a loss as to why we scrapped NAT-PT and why we're  
> > doing
> > a 180 on this decision.
> > Personally, I'm fine with doing the NAT-PT work and leaving it up to
> > deployments to decide whether it's needed.
> > While I do agree that almost all hosts running v6 will also run v4, I
> > don't think that every deployment will have enough IPv4
> > public or private addresses. So I think there may be a need for  
> > NAPT-PT
> > in the market.
> >
> > Hesham
> >
> > > SOFTWIRE+BEHAVE
> > >
> > >   Brian
> > > > Thanks,
> > > >
> > > >  Yaron
> > > >
> > > >
> > > > Brian E Carpenter wrote:
> > > >
> > > > > Yaron,
> > > > >
> > > > > On 2008-03-31 00:33, Yaron Sheffer wrote:
> > > > >
> > > > > > Hi Marcelo,
> > > > > >
> > > > > > see my responses inline.
> > > > > >
> > > > > > Thanks,
> > > > > >  Yaron
> > > > > >
> > > > > > marcelo bagnulo wrote:
> > > > > >
> > > > > > > Hi Yaron,
> > > > > > >
> > > > > > > thank you for your input, see some questions below...
> > > > > > >
> > > > > > > Yaron Sheffer escribió:
> > > > > > >
> > > > > > > > I think we are bundling several different cases together. I  
> > > > > > > > will try
> > > > > > > > to enumerate the use cases, to clarify the situation a bit:
> > > > > > > >
> > > > > > > > Case 1: v6-only host to v4-only host.
> > > > > > > >
> > > > > > > > I don't think any IPsec solution can be crafted here.
> > > > > > > So, in you opinion, if we have a v6 host communicating with a  
> > > > > > > v4 host
> > > > > > > a NAT64 in the middle, then they cannot communicate using IPSec,
> > > > > > > neither transport nor tunnel mode directly between them. That
> > > > > > > includes
> > > > > > > doing nor ESP nor AH nor IKE, is that correct?
> > > > > > Yes this is correct. A NAT box cannot do anything useful to  
> > > > > > either IKE
> > > > > > or IPsec unless it has access to the encryption keys, which  
> > > > > > would not
> > > > > > make sense in our case.
> > > > >
> > > > > It seemed to me when I thought about this a few weeks ago that the
> > > > > only solution would be a new form of SA specifically designed
> > > > > to look like an IPv4-only SA but able to be created and checked
> > > > > by a (suitably modified) IPv6-only host. And of course a similar
> > > > > variant of IKE would be needed. I don't know if such variants
> > > > > are possible, and they certainly require the IPv6 host to know the
> > > > > pair of IPv4 addresses that the IPv4 host is using.
> > > > >
> > > > >    Brian
> > > > >
> > > > >
> > > > > Scanned by Check Point Total Security Gateway.