[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A slightly more detailed analysis Re: NAT64 and IPsec support
thanks for the summary, i was planning to do a similar effort myself,
but since you have done that already :-)
George Tsirtsis escribió:
So, I looked into this in a bit more detail. Admittedly I am not a
security expert but I do not think you have to be one to figure this
out at least to some level.
- First in terms of unmodified end nodes:
RFC2765 (SIIT) claims that ESP Transport mode can work over it. This
appears to be true given the fact that ESP Transport mode as defined
in RFC4303 only covers the headers following the ESP header; see
diagrams in pages 18/19 of RFC4303.
Note, however, that while ESP Transport mode does not cover IP
headers, it does cover Transport and higher headers, so it is NOT
possible to perform port translation or to do an ALG processing. So
SIIT assumes that NO port translation is going on and each IPv6 only
node is using all the ports of each IPv4 address available to the SIIT
box. This requires as a minimum, one IPv4 address for each IPv6 end
node in a concurrent communication session, and it is the reason why
NAT-PT had to also exist.
I think this conclusively renders "IPSEC over NAT64 for unmodified end
nodes" unrealistic. Any disagrees with that?
This is my conclusion as well.
IPSEc wihtout at least one of the endpoints involved is not possible
(note that this is similar to the IPv4NAT, since in IPv4NAt IPSec
support endhosts need to be updated as per RFC3948)
So i am planning to NOT to include a basic requirement abou any form of
IPSec support wihtout endpoint support, ok?
I understnad that what you describe above is only for IPsec tunnel mode.
there is also transport mode with modified hosts, which i think it would
be easier to make it work, don't you think?
- Now about modified end nodes:
As we discussed before RFC3948 works based on UDP encapsulation which
has become the default v4NAT traversal technique. The premise for this
type of solution is that by encapsulating the traffic we can limit the
effects of translation to the encapsulation header, leaving the inner
header untouched. I think this is not sufficient when IPv6-only nodes
interact with IPv4-only nodes since no matter what encapsulation we do
in the end there is no way for the two peers to form IP headers of the
same version and use them as untouched inner headers.
This seems like a dead-end but there is an avenue some people seem to
want to explore. This would require one of the peers (presumably the
IPv6-only side) to be able to put together an IPv4 header and apply
ESP style encapsulation, even if it does not run a full IPv4 stack.
In this case, at least in theory, the two peers can then form a
session based on the same version of IP. I think then there are two
possibilities to explore:
1) An IPv6 tunnel is created between the IPv6-only end node and the
NAT64 box. The IPv4 session is then encapsulated over it and it is
protected by IPSEC as required. This means that the IPv6 end node
knows the external IPv4 address of NAT64 box and the port number to
2) A UDP/IP tunnel is created end to end ala RFC3968. Of course this
means that the IPv6-only node does UDP/IPv6, which is then translated
to UDP/IPv4 by NAT64. The IPv4 session is then encapsulated over it
and it is protected by IPSEC as required. This means that the source
IPv4 address and port numbers used by the IPv6-only node in the inner
headers will have to be valid and non-overlapping at the IPv4-only
In both of the above cases IKEv2 will still have to be looked at and
see if there is any hope of making that work over NAT64. Making this
work for incoming communication is of course even harder. In general,
both options present serious challenges which if they are overcome
something resembling end to end IPSEC could in theory emerge.
My personal opinion, for whatever it is worth, is that this is not a
good road to go down, but maybe defining something like this in more
detail to see how awful it really is, is still useful. We can always
discard it later.
Maybe there are also other alternatives I am missing here in which
case it would be nice to hear about them.
My conclusion of this discussion w.r.t. the requirements is that it
would be possible to make it work, but this would require modifications
of the endpoints, so, i am thinking in a requirement like:
IPSec MUST be supported but modifications to the endpoints may be needed.
Now, i have a few related questions:
- do we need to upgrade btoh endpoints or would it be enough if we just
upgrade one? ( I mean, this could change the requieremtn meaning that
the solution must support IPSec if only the v6 node is upgraded with
special IPSec handling mechanisms)
- Is there anything that the NAT64 needs to do in order to make ths
support easier? I mean, at least at this point, it seems possible that
IPsec traffic will flow through the NAT64 box, so at least is should be
possible to do somehting with that traffic. for instace, how does the
NAT64 box handles that traffi when NAPT is being performed? Are there
any other thing s that the nat64 could do to make life of the endpoints
supporting IPSec clearly easier?
On Fri, Mar 28, 2008 at 8:14 PM, marcelo bagnulo <email@example.com> wrote:
Another issue that was brought up during the meeting was IPSec support.
I have been reading RFC3948 and i have some questions.
I understand that if transport mode can work through v4 NATs using
RFC3948 UDP encapsulation and soem other tweaks defined in the RFC, then
it is reasonable to expect that the same level of support of support can
be achieved in NAT64.
so we could simply add a requirement that NAT64 mechanisms should
support the use cases supported by RFC3948.
However, i am not so clear about the tunnel mode.
In tunnel mode, we have two IP headers and the NAT64 will only translate
one of them (by default, if we don't do anything special with it).
so, the problem, is that even if the outside IP header is translated
with the NAT64 box, the inner header remains in the original IP version,
so i am wondering if this doesn't present additionla difficulties. The
option is to translate both headers, but this again will be different
than the IPv4 NAT case, since the inner header in the IPv4 NAT case
remains unchanged, while we would be changing it in this case. So i am
finding that the tunnel mode wouldn't be so directly supported using the
IPv4 NAT traversal techniques for IPSec.
However, i am not an expert on this, so i may get this completelly
wrong. any guidance on this would be appreciated