[Openswan dev] Re: v6-in-v4 IPsec and NAT traversal

Michael Richardson mcr at xelerance.com
Sat Mar 13 12:24:56 CET 2004


>>>>> "Pekka" == Pekka Savola <pekkas at netcore.fi> writes:
    Pekka> I'm interested whether Linux IPsec implementations support:

    Pekka>  1) IPv6 payload inside IPv4 IPsec tunnel/transport?

    Pekka>  That is, when the intermediate network doesn't support IPv6,
    Pekka> you could do IPv6, secured, without first encapsulating in
    Pekka> IPv6-over-IPv4 tunnel and then running IPv6 IPsec.

  I don't know if 26sec can do it at the bottom layer - I think not.
  I can tell you that neither racoon nor pluto can negotiate a mixed
mode SA. Both are pretty close - but at present no real testing is done
on that.

    Pekka>  2) NAT-traversal? (There are at least some patches in
    Pekka> OpenSWAN, etc. for this).  This could be very handy combined
    Pekka> with the above.

  Both 26sec and KLIPS have support for NAT-Traversal for IPv4, but
both requires support from the UDP - this is in 2.6, 2.4 backport, and 
showing up in many distros. The patch is 140 lines.
  Pluto will detect the kernel support for NAT-Traversal and use it
if it exists. 
  I don't know about racoon.

    Pekka> [[ 3) Some feasible key management method, such as
    Pekka> certificates.  I think this exists, and doesn't require
    Pekka> support in the kernel. ]]

  Racoon has poor pkix-self-signed certificate support.
  Pluto has pkix, raw RSA, RSA-from-DNS. The latest X.509 patches from
Andreas (not yet integrated) include OCSP (RFC2560). 

    Pekka> I'm considering how viable this kind of NAT -traversal
    Pekka> supporting v6-in-v4 IPsec would be as an IPv6
    Pekka> tunneling/transition mechanism.

  Well, I was rather hoping that NAT-traversal for IPsec would have been
done as:

    Pekka> What's the status (implementations, planned or future) of
    Pekka> these features?


- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list