IPSEC tunnels and Mobile IP

[Stephen Waters <Stephen.Waters@digital.com>]

Does IPSEC tunnel mean I can forget about Mobile IP?

Here is the Mobile IP model as I understand it:


Client----- PPP[IP1]-----NAS/Mobile IP ------
[IP2][stuff][IP1]-----NAS/Mobile IP ---[xxx][IP1]---- client



Mobile IP Issue: Client passes Intranet addressed packets to the NAS.  

I am assuming that VPN customers will want to encrypt their own data.  I
am also assuming that VPN customers will want to 'hide' their Intranet
addresses.   To achieve this, the client could use IPSEC ESP,  and the
NAS/Mobile IP would need to re-encrypt to protect the Intranet address.

So, if the customer can do their own tunnel (IPSEC tunnel), why do I
need Mobile IP?

Well, there seems to be some loss of service going from Mobile IP to
IPSEC tunnels :

1) tunnel server address resolution 
2) exposure to denial-of-service attacks
3) client needs global Internet address

These services COULD be replaced with other solutions - e.g. NAT,
Filtering, IPCP or DNS tunnel server address resolution.

Any other takes on this?
Cheers, Steve.

---

Follow-Ups:

• Re: IPSEC tunnels and Mobile IP
• From: Raul Miller <rdm@test.legislate.com>
• Re: IPSEC tunnels and Mobile IP
• From: Robert Moskowitz <rgm-sec@htt-consult.com>

---

• Prev by Date: Re: shipping equipment to the Hotel
• Next by Date: Re: IPSEC WORKING GROUP LAST CALL
• Prev by thread: I-D ACTION:draft-ietf-ipsec-policy-model-00.txt
• Next by thread: Re: IPSEC tunnels and Mobile IP
• Index(es):
  • Main
  • Thread