Christian Vogt wrote: > Why would an IPv6 NAT need to find the checksum if the checksum does > not need to be changed anyway? Hmmm, you should be assuming that all the transport checksums will be 1's complement 16 bit sum, even though modern transport protocols are using different checksum. Anyway, checksum of ICMP error generated against ICMP echo must still be changed, and the error packet may (though does not usually have to) be fragmented. BTW, I have noticed that possibly-lengthy extension header is not protected by IP nor transport checksum, which should be a flaw of IPv6. Also, SCTP ignores to protect source and destinaiton addresses in IP header, maybe for NAT transparency, though IPv6 expect transport protocls to do so. >>IPv6 specification requires IPSEC, which means outer most IPv6 must >>also support IPSEC. > Sure, no one is arguing with this. My point was that, while IPv6 NAT > does interfere with some modes of IPsec, there are other IPsec modes > that are not affected by IPv6 NAT. Makes sense? The problem is that IPSEC requirement of IPv6 is not specified as "some modes of IPsec" should be supported. Instead, IPv6 requires support for AH and ESP extension headers. I think we can laugh at the reason why IPv6 insists on IPSEC documented in rfc2463. 5.1 Authentication and Encryption of ICMP messages ICMP protocol packet exchanges can be authenticated using the IP Authentication Header [IPv6-AUTH]. A node SHOULD include an Authentication Header when sending ICMP messages if a security association for use with the IP Authentication Header exists for the destination address. The security associations may have been created through manual configuration or through the operation of some key management protocol. Received Authentication Headers in ICMP packets MUST be verified for correctness and packets with incorrect authentication MUST be ignored and discarded. where, thanks to IPSEC, DoS by ICMP can be prevented only with a *SMALL* amount of computation and message exchanges of some key management protocol. :-) Masataka Ohta _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf