Re: [IPsec] NAT-T and IPv6
Tero Kivinen <kivinen@iki.fi> Tue, 26 November 2013 14:44 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8774F1AD9AE for <ipsec@ietfa.amsl.com>; Tue, 26 Nov 2013 06:44:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9SE9uT3IRph6 for <ipsec@ietfa.amsl.com>; Tue, 26 Nov 2013 06:44:51 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id DE7F31AD8F5 for <ipsec@ietf.org>; Tue, 26 Nov 2013 06:44:49 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.5) with ESMTP id rAQEijM3027946 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 26 Nov 2013 16:44:45 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.12.11) id rAQEiiOl028718; Tue, 26 Nov 2013 16:44:44 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21140.46044.770517.637673@fireball.kivinen.iki.fi>
Date: Tue, 26 Nov 2013 16:44:44 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Gandhar Gokhale <gandhar.ietf@gmail.com>
In-Reply-To: <CADp=_Kh7o0hwQr3oVicUVghVNUzqC0+eW-VDiCgzVc6b39fDWA@mail.gmail.com>
References: <CADp=_KiKen8cEKY1MGB8qqfWXqEh5kyWX-dbC_DbVfcj1XqLmg@mail.gmail.com> <21139.27318.60621.427765@fireball.kivinen.iki.fi> <CADp=_Kh7o0hwQr3oVicUVghVNUzqC0+eW-VDiCgzVc6b39fDWA@mail.gmail.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 8 min
X-Total-Time: 9 min
Cc: ipsec@ietf.org
Subject: Re: [IPsec] NAT-T and IPv6
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2013 14:44:53 -0000
Gandhar Gokhale writes: > Thank you Tero. It clarifies my doubt. > However, with a SHOULD clause it's not quite apparent in the RFC that > this is just an 'optimization' for IPv4. And since the RFC claims that > there is no technical reason for this not to work with IPv6 it becomes > incompatible set of statements. I think the SHOULD clause is VERY clear that it only covers IPv4. The "IPv4" text was added there in the -08 version of the draft-ietf-ipsec-udp-encaps draft just because there was comment that checksum cannot be zero on IPv6... And NAT-T does work with IPv6, but some things are different with IPv4 and IPv6... > Now, seen in the light of optimization it makes sense to me. SHOULD > clause can be defied if there's a strong reason for it and > incompatibility of IPv6 is sufficiently strong reason to defy this > SHOULD, I suppose. There is nothing in the document saying how you should set checksum field if you are using IPv6. There is SHOULD saying that "IPv4 UDP Checksum" SHOULD be transmitted as zero. That SHOULD does not apply at all, unless you are using IPv4. Even if you are using this with IPv6, you can set the "IPv4 UDP checksum" to zero, but of course "IPv6 UDP checksum" is completely different thing, and that must be set, as defined in the IPv6 specifications. -- kivinen@iki.fi
- [IPsec] NAT-T and IPv6 Gandhar Gokhale
- [IPsec] NAT-T and IPv6 Tero Kivinen
- Re: [IPsec] NAT-T and IPv6 Shravan Vuggrala (svuggral)
- Re: [IPsec] NAT-T and IPv6 Shravan Vuggrala (svuggral)
- Re: [IPsec] NAT-T and IPv6 Gandhar Gokhale
- Re: [IPsec] NAT-T and IPv6 Tero Kivinen