ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: NAT Not Needed To Make Renumbering Easy

2009-11-09 04:13:22
from [Masataka Ohta] [Permanent Link] 
Christian Vogt wrote:


Why would an IPv6 NAT need to find the checksum if the checksum does
not need to be changed anyway?


Hmmm, you should be assuming that all the transport checksums will
be 1's complement 16 bit sum, even though modern transport protocols
are using different checksum.

Anyway, checksum of ICMP error generated against ICMP echo must
still be changed, and the error packet may (though does not usually
have to) be fragmented.

BTW, I have noticed that possibly-lengthy extension header is not
protected by IP nor transport checksum, which should be a flaw of
IPv6.

Also, SCTP ignores to protect source and destinaiton addresses
in IP header, maybe for NAT transparency, though IPv6 expect
transport protocls to do so.


IPv6 specification requires IPSEC, which means outer most IPv6 must
also support IPSEC.



Sure, no one is arguing with this.  My point was that, while IPv6 NAT
does interfere with some modes of IPsec, there are other IPsec modes
that are not affected by IPv6 NAT.  Makes sense?


The problem is that IPSEC requirement of IPv6 is not specified
as "some modes of IPsec" should be supported.

Instead, IPv6 requires support for AH and ESP extension headers.

I think we can laugh at the reason why IPv6 insists on IPSEC
documented in rfc2463.

   5.1 Authentication and Encryption of ICMP messages

   ICMP protocol packet exchanges can be authenticated using the IP
   Authentication Header [IPv6-AUTH].  A node SHOULD include an
   Authentication Header when sending ICMP messages if a security
   association for use with the IP Authentication Header exists for the
   destination address.  The security associations may have been created
   through manual configuration or through the operation of some key
   management protocol.

   Received Authentication Headers in ICMP packets MUST be verified for
   correctness and packets with incorrect authentication MUST be ignored
   and discarded.

where, thanks to IPSEC, DoS by ICMP can be prevented only with a
*SMALL* amount of computation and message exchanges of some key
management protocol. :-)

                                                Masataka Ohta

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Background on IETF 79 Decision, Bob Hinden
Next by Date:  Re: OK, final NAT66 argument (Was: NAT Not Needed To Make Renumbering Easy, Masataka Ohta
Previous by Thread:  Re: NAT Not Needed To Make Renumbering Easy, Christian Vogt
Next by Thread:  Re: NAT Not Needed To Make Renumbering Easy, Christian Vogt
Indexes:  [Date] [Thread] [Top] [All Lists]