Re: v6ops-nat64-pb-statement-req: IPsec requirement

[Thomas Narten <narten@us.ibm.com>]

marcelo bagnulo braun <marcelo@it.uc3m.es> writes:

> i think so, i have changed that to

> The translator MUST support communication between IPv4 node and IPv6
>    node using UDP Encapsulation of IKE and IPsec ESP Packets as defined in
>    [RFC3948] as applicable.  RFC3948 should be interpreted as with the
>    IPv6 side on the IPv6-IPv4 translator being the IPv4 private side of
>    the conventional NAT.  IPsec support MAY require updating also the
>    IPv4 side.

> would that be better?

Yes, but...

Question: Why was UDP encapsulation chosen? Should we even have that
requirement at this point? Seems to me that the requirement should be
more like:

   The translator MUST be able to support the translation of at least
   one mode of IPsec and IKE flows sufficient to allow nodes using IKE
   and IPsec to successfully set up and use IPsec SAs.  Although
   desirable, it is not a requirement that such a capability be done
   with no changes to the IPv4 node's IKE/IPsec implementation.

Thoughts?

Thomas