Re: [sunset4] ietf-nat64 - Internet VPN clients

Fri, 09 Dec 2016 13:39:55 -0800 

Bjoern A. Zeeb <bzeeb-li...@lists.zabbadoz.net> wrote:
    > That’s maybe for the ipsec wg but while native IPv6 VPN has been working 
fine
    > for me for ages, how would a NAT64 policy exchange actually look like (I 
am
    > thinking about what is done for IPv4 NAT or double NAT within the same

NAT64 depends upon DNS64 to provide a fake IPv6 target for the application to
connect to.

So, for IPsec to work over NAT64 would require:

1) IPsec able to traverse over IPv6 networks (outer IP header being IPv6).
2) An IKEv2 deamon that uses DNS to find it's IPv4-only gateway, so that it
   can be lied to about the returned AAAA record.

In Bill's case, he hasn't got (1), so it's not going to work.
Once he has (1) (the upgrade he mentioned), if his policy lets him use DNS to
find his gateway, and he doesn't do DNSSEC on that, then it ought to work.

Of course, once he has the upgrade, if his gateway would just have an IPv6,
he wouldn't need NAT64. And he can tunnel his company 10.x v4 network over
things as much as he likes... but there is the question about where his
Internet bound v4 traffic will go... likely if his company's VPN wants to
inspect his traffic, the v4 will go through the tunnel, not using the NAT64
at all, and causing him higher latency.  But, that's what would happen in
a pure v4 situation anyway.

    > address family);  I doubt that different AFs on each end as part of the
    > policy are specified to work, so I’d not expect IPsec VPNs to work across 
a
    > NAT64 (from a v6 to a v4 endpoint);  someone surprise me and say with 
IKEv2
    > you can?  Someone surprise me and say with a double NAT64 it can work?

I'm not sure IKEv2 even knows or cares how the port-500 packets get there.
I use v6 over X tunnels (where X is usually v4) in order to get v6 to my
laptop from coffee shops regularly.  I haven't tried this over NAT64, but I
will change this to use DNS.  Of course, I wouldn't need this tunnel in a
NAT64 network, since I'd have v6, so I'll setup some v4 IPsec too for the
next IETF and try it out.

--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

Attachment: signature.asc
Description: PGP signature

_______________________________________________
sunset4 mailing list
sunset4@ietf.org
https://www.ietf.org/mailman/listinfo/sunset4

Reply via email to