Re: NAT Not Needed To Make Renumbering Easy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Christian Vogt wrote:

> Why would an IPv6 NAT need to find the checksum if the checksum does
> not need to be changed anyway?

Hmmm, you should be assuming that all the transport checksums will
be 1's complement 16 bit sum, even though modern transport protocols
are using different checksum.

Anyway, checksum of ICMP error generated against ICMP echo must
still be changed, and the error packet may (though does not usually
have to) be fragmented.

BTW, I have noticed that possibly-lengthy extension header is not
protected by IP nor transport checksum, which should be a flaw of
IPv6.

Also, SCTP ignores to protect source and destinaiton addresses
in IP header, maybe for NAT transparency, though IPv6 expect
transport protocls to do so.

>>IPv6 specification requires IPSEC, which means outer most IPv6 must
>>also support IPSEC.

> Sure, no one is arguing with this.  My point was that, while IPv6 NAT
> does interfere with some modes of IPsec, there are other IPsec modes
> that are not affected by IPv6 NAT.  Makes sense?

The problem is that IPSEC requirement of IPv6 is not specified
as "some modes of IPsec" should be supported.

Instead, IPv6 requires support for AH and ESP extension headers.

I think we can laugh at the reason why IPv6 insists on IPSEC
documented in rfc2463.

   5.1 Authentication and Encryption of ICMP messages

   ICMP protocol packet exchanges can be authenticated using the IP
   Authentication Header [IPv6-AUTH].  A node SHOULD include an
   Authentication Header when sending ICMP messages if a security
   association for use with the IP Authentication Header exists for the
   destination address.  The security associations may have been created
   through manual configuration or through the operation of some key
   management protocol.

   Received Authentication Headers in ICMP packets MUST be verified for
   correctness and packets with incorrect authentication MUST be ignored
   and discarded.

where, thanks to IPSEC, DoS by ICMP can be prevented only with a
*SMALL* amount of computation and message exchanges of some key
management protocol. :-)

						Masataka Ohta

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]