[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

autoconfiguration

To: "'IPsec'" <ipsec@tis.com>
Subject: autoconfiguration
From: Richard Draves <richdr@microsoft.com>
Date: Mon, 5 Oct 1998 14:59:01 -0700
Sender: owner-ipsec@ex.tis.com

[I suspect that the list has already discussed this issue, and I haven't
read far enough back in the archives to find the discussion. I hope I'm
raising a new perspective on the issue wrt IPv6.]

I'm concerned about the provision in the security architecture spec (eg see
section 5 first paragraph) that "If no policy is found in the SPD that
matches the packet (for either inbound or outbound traffic), the packet MUST
be discarded."

I understand this to mean that a compliant implementation must be manually
configured when it first boots. Automatic configuration is not possible
because that would require network communication, which is not allowed.

In particular, this would seem to conflict with IPv6's stateless address
autoconfiguration.

Would it be permissible for a compliant IPv6 implementation to have a
default SPD that allows communication via link-local addresses to bypass
IPsec, to support auto-configuration? Once the implementation has
automatically configured addresses, I imagine that the implementation might
proceed to configure the SPD from a network service.

Note that I'm thinking about the default case of an implementation booting
for the first time without any prior configuration. In some cases (like a
mobile node visiting an untrusted link) an implementation will want to be
more careful.

Thanks,
Rich

Follow-Ups:

Re: autoconfiguration

From: Dan McDonald <danmcd@Eng.Sun.Com>

Re: autoconfiguration

From: Jun-ichiro itojun Itoh <itojun@itojun.org>

Re: autoconfiguration

From: Stephen Kent <kent@bbn.com>

Prev by Date: IKE Analysis / New E-IKE draft
Next by Date: Re: autoconfiguration
Prev by thread: IKE Analysis / New E-IKE draft
Next by thread: Re: autoconfiguration
Index(es):
- Main
- Thread