The VPN client can do the synthesis themselves using RFC 6052 (https://tools.ietf.org/html/rfc6052) and RFC 7050 (https://tools.ietf.org/html/rfc7050), querying ipv4only.arpa over the DNS.
macOS and iOS also support synthesis in the OS by calling getaddrinfo() with the IPv4 address as a string, and returning an IPv6 sockaddr when on a NAT64 network. Thanks, Tommy > On Dec 9, 2016, at 2:06 PM, Heatley, Nick <[email protected]> wrote: > > Thanks for this, very useful. > Is the vpn client also discovering the well known prefix for v6 address > synthesis itself, or relying on the OS to provide that? > > > > -------- Original message -------- > From: Tommy Pauly <[email protected] <mailto:[email protected]>> > Date: 09/12/2016 17:32 (GMT+00:00) > To: "Heatley, Nick" <[email protected] <mailto:[email protected]>> > Cc: "Bjoern A. Zeeb" <[email protected] > <mailto:[email protected]>>, Bill Fenner <[email protected] > <mailto:[email protected]>>, [email protected] <mailto:[email protected]>, > [email protected] <mailto:[email protected]> > Subject: Re: [IPsec] [sunset4] ietf-nat64 - Internet VPN clients > > With our push to support NAT64 networks (without 464xlat) for Apple's > devices, we added support for NAT64 networks to both our IKEv1 and IKEv2 > clients a few releases ago. It was a fairly straightforward change. The main > parts are making sure any IPv4 literals meant to be use outside the tunnel > that come across in the IKE exchange are synthesized into IPv6 addresses; and > making sure that the ESP layer is happy encapsulating IPv4 in IPv6 for > tunnels. Historically, many implementations only supported IPv4-in-IPv4, > IPv6-in-IPv6, and IPv6-in-IPv4. > > >From an interop perspective, this is just a change that needs to be made on > >the client behind the NAT64, and requires no protocol changes in IKE or > >knowledge on the server side. > > Thanks, > Tommy Pauly > > > On Dec 9, 2016, at 9:03 AM, Heatley, Nick <[email protected] > > <mailto:[email protected]>> wrote: > > > > It is just the single NAT64 that is in question (I also tend to think that > > is broken for IPsec clients?). > > > > Popular IPsec clients work perfectly via 464xlat (double NAT64). > > > > > > > > -----Original Message----- > > From: sunset4 [mailto:[email protected] > > <mailto:[email protected]>] On Behalf Of Bjoern A. Zeeb > > Sent: 09 December 2016 16:33 > > To: Bill Fenner > > Cc: [email protected] <mailto:[email protected]>; [email protected] > > <mailto:[email protected]> > > Subject: Re: [sunset4] ietf-nat64 - Internet VPN clients > > > > On 9 Dec 2016, at 16:07, Bill Fenner wrote: > > > >> On Fri, Dec 9, 2016 at 8:41 AM, Heatley, Nick <[email protected] > >> <mailto:[email protected]>> > >> wrote: > >> > >>> Hi All, > >>> > >>> The sunset4 minutes suggest NAT64 SSID to become the default? > >>> > >>> Just checking, is there any summary on how VPN clients behaved on the > >>> nat64 SSID following the event? > >>> > >> > >> Just an anecdote, not actual information: I have two different ways to > >> contact my office VPN server (SSL VPN and IPSEC); neither one worked > >> from NAT64. The vendor documentation says that they don't support > >> IPv6 transport for the SSL VPN; I do not know what went wrong with the > >> IPSEC VPN. The vendor introduced support for IPSEC with v6 transport > >> in their newest software, to which we'll upgrade soon; perhaps that > >> upgrade will include whatever is required for it to work through NAT64 > >> too. Their support matrix still says that even the newest software > >> does not support SSL VPN over IPv6. > > > > That’s maybe for the ipsec wg but while native IPv6 VPN has been working > > fine for me for ages, how would a NAT64 policy exchange actually look like > > (I am thinking about what is done for IPv4 NAT or double NAT within the > > same address family); I doubt that different AFs on each end as part of > > the policy are specified to work, so I’d not expect IPsec VPNs to work > > across a NAT64 (from a v6 to a v4 endpoint); someone surprise me and say > > with IKEv2 you can? Someone surprise me and say with a double NAT64 it can > > work? > > > > /bz > > > > _______________________________________________ > > sunset4 mailing list > > [email protected] <mailto:[email protected]> > > https://www.ietf.org/mailman/listinfo/sunset4 > > <https://www.ietf.org/mailman/listinfo/sunset4> > > > > NOTICE AND DISCLAIMER > > This email contains BT information, which may be privileged or > > confidential. It's meant only for the individual(s) or entity named above. > > If you're not the intended recipient, note that disclosing, copying, > > distributing or using this information is prohibited. > > If you've received this email in error, please let me know immediately on > > the email address above. Thank you. > > > > We monitor our email system, and may record your emails. > > > > EE Limited > > Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshire, > > AL10 9BW > > Registered in England no: 02382161 > > > > EE Limited is a wholly owned subsidiary of: > > > > British Telecommunications plc > > Registered office: 81 Newgate Street London EC1A 7AJ > > Registered in England no: 1800000 > > _______________________________________________ > > IPsec mailing list > > [email protected] <mailto:[email protected]> > > https://www.ietf.org/mailman/listinfo/ipsec > > <https://www.ietf.org/mailman/listinfo/ipsec> > > NOTICE AND DISCLAIMER > This email contains BT information, which may be privileged or confidential. > It's meant only for the individual(s) or entity named above. > If you're not the intended recipient, note that disclosing, copying, > distributing or using this information is prohibited. > If you've received this email in error, please let me know immediately on the > email address above. Thank you. > > We monitor our email system, and may record your emails. > > EE Limited > Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 > 9BW > Registered in England no: 02382161 > > EE Limited is a wholly owned subsidiary of: > > British Telecommunications plc > Registered office: 81 Newgate Street London EC1A 7AJ > Registered in England no: 1800000 > > _______________________________________________ > IPsec mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/ipsec > <https://www.ietf.org/mailman/listinfo/ipsec>
_______________________________________________ sunset4 mailing list [email protected] https://www.ietf.org/mailman/listinfo/sunset4
