[IPsec] NAT-T and IPv6

Tero Kivinen <kivinen@iki.fi> Mon, 25 November 2013 15:20 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C0DD1ADF4D for <ipsec@ietfa.amsl.com>; Mon, 25 Nov 2013 07:20:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0NRHvX6L4TiV for <ipsec@ietfa.amsl.com>; Mon, 25 Nov 2013 07:20:27 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 5A2AF1ADF4C for <ipsec@ietf.org>; Mon, 25 Nov 2013 07:20:27 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.5) with ESMTP id rAPFKMLM022111 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 25 Nov 2013 17:20:22 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.12.11) id rAPFKMrm014123; Mon, 25 Nov 2013 17:20:22 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID: <21139.27318.60621.427765@fireball.kivinen.iki.fi>
Date: Mon, 25 Nov 2013 17:20:22 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Gandhar Gokhale <gandhar.ietf@gmail.com>
In-Reply-To: <CADp=_KiKen8cEKY1MGB8qqfWXqEh5kyWX-dbC_DbVfcj1XqLmg@mail.gmail.com>
References: <CADp=_KiKen8cEKY1MGB8qqfWXqEh5kyWX-dbC_DbVfcj1XqLmg@mail.gmail.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 13 min
X-Total-Time: 13 min
Cc: ipsec@ietf.org
Subject: [IPsec] NAT-T and IPv6
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Nov 2013 15:20:30 -0000

Gandhar Gokhale writes:
> As defined in this document, UDP encapsulation of ESP packets is 
> written in terms of IPv4 headers.  There is no technical reason why
> an IPv6 header could not be used as the outer header and/or as the
> inner header.

Of course we hope nobody every makes NATs for IPv6, but having IPv4
NAT and then having IPv6 packets inside is of course possibility. 

> And in section 2.1 it states 
> 
> "o  the IPv4 UDP Checksum SHOULD be transmitted as a zero value, and 
> 
>  o  receivers MUST NOT depend on the UDP checksum being a zero value"

Note that it only talks about IPv4 UDP Checksum field, it does not
specify such recommendation for IPv6 UDP checksum.

> As per RFC 2460 UDP header with 0 checksum must be discarded.  

Which is why the with the IPv6 you must calculate UDP checksum when
sending the packet. Using the IPv4 UDP checksum of 0 is an
optimization, which removes useless checksum calculations of the UDP
packet, and that optimization cannot be used for IPv6. 

> If all these statements are seen together it would mean NAT-T for IPv6 as
> described in RFC 3498 won't work. 
>
> Am I missing something? 

I think you are missing the "IPv4" word in the quoted context. It does
not claim you can use that optimization for IPv6. For IPv6 you must
calculate checksum properly when sending UDP encapsulated ESP packets
over IPv6.

For more information check the RFC3715 which have bit more text about
IPv6 and NATs, and if I remember right there might have also been some
discussion about this in the IPsec mailing list during the development
of this rfc.

> Is NAT-T a valid deployment case for IPv6 network i.e. when the
> outer header of IPsec tunnel is IPv6?

Yes, but hopefully people will not do NATs on IPv6 :-)

There are use cases for static stateless NATs in the IPv6, i.e. prefix
changes and you do not want to renumber your whole network, but IPv4
style dynamic NATs should not be needed in IPv6.
-- 
kivinen@iki.fi