[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: Mobility Support in IPv6 to Proposed Standard

To: richdr@microsoft.com (Richard Draves)
Subject: Re: Last Call: Mobility Support in IPv6 to Proposed Standard
From: Dan McDonald <danmcd@Eng.Sun.Com>
Date: Thu, 18 Feb 1999 09:12:25 -0800 (PST)
Cc: mobile-ip@smallworks.com, ipng@sunroof.Eng.Sun.COM, ipsec@tis.com
In-Reply-To: <4D0A23B3F74DD111ACCD00805F31D8100AF81D30@RED-MSG-50> from "Richard Draves" at Feb 17, 99 09:26:03 pm
Sender: owner-ipsec@ex.tis.com

> I'm hoping to start a discussion by looking at routing headers. I couldn't
> find anything in the IPsec architecture spec mentioning interactions with v6
> routing headers or the source routing option in v4. Mobility uses routing
> headers. How should routing headers interact with IPsec?

See the AH spec.  Unfortunately, the precise wording of the LSRR option for
IPv4 exempts it from inclusion in AH's ICV, but the IPv6 routing header 0 is
perfect for AH inclusion.

> I believe that an IPsec-enabled node that is processing a routing header
> with non-zero Segments Left should do inbound IPsec processing (SPD lookup &
> policy verification) when it gets to the routing header and outbound IPsec
> processing before sending the updated packet. This should be just the same
> as a security gateway that is forwarding a packet. The routing header should
> not make it possible to bypass security policies.

Why?  The proper use of AH allows authenticated source routes.  This is why
AH still exists, even after ESP had an ICV added to it.

Also, how?  Are you going to distribute keys along each hop?  That's
a lot of IKE negotiations.  You can do end-to-end AH on a source routed
packet in IPv6.  It's why we still HAVE AH, y'know.

> Carrying forward the analogy with security gateways, the IPsec processing
> associated with a routing header should only support tunnel-mode
> associations. Otherwise it makes life too difficult for the node processing
> the routing header, because it would have to be finding & removing &
> inserting headers in strange places. Security gateways must only support
> tunnel-mode associations.

If you wish to have every intermediate node process the packet, yes, you'll
_probably_ need tunnel mode.

> To make this concrete, suppose we have four nodes A, B, C, D. Node A sends a
> packet with a routing header through nodes B and C to node D. Node A can
> have tunnel and/or transport mode associations with node D, say for example
> transport-mode AH.

Great example!  The packet would look like:

	IPv6 hdr dst B, src A
	Routing hdr, segments left = 2, addrs C, D
	AH (with SA residing on D)
	Transport hdr

That's all you need to do!  The source route in question can be authenticated
using AH.

> Does this sound reasonable?

It sounds like you're adding levels of complexity where you don't need any.

Dan

References:

RE: Last Call: Mobility Support in IPv6 to Proposed Standard

From: Richard Draves <richdr@microsoft.com>

Prev by Date: IPsec DOI TC draft
Next by Date: Bridging non-IP traffic over IPSec
Prev by thread: RE: Last Call: Mobility Support in IPv6 to Proposed Standard
Next by thread: RE: Last Call: Mobility Support in IPv6 to Proposed Standard
Index(es):
- Main
- Thread