[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Last Call: Mobility Support in IPv6 to Proposed Standard

To: "'Dan McDonald'" <danmcd@Eng.Sun.Com>
Subject: RE: Last Call: Mobility Support in IPv6 to Proposed Standard
From: Richard Draves <richdr@microsoft.com>
Date: Thu, 18 Feb 1999 14:05:40 -0800
Cc: mobile-ip@smallworks.com, ipng@sunroof.Eng.Sun.COM, ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

> > I'm hoping to start a discussion by looking at routing 
> headers. I couldn't
> > find anything in the IPsec architecture spec mentioning 
> interactions with v6
> > routing headers or the source routing option in v4. 
> Mobility uses routing
> > headers. How should routing headers interact with IPsec?
> 
> See the AH spec.  Unfortunately, the precise wording of the 
> LSRR option for
> IPv4 exempts it from inclusion in AH's ICV, but the IPv6 
> routing header 0 is
> perfect for AH inclusion.

I'm sorry, I wasn't clear. I understand that the AH header's ICV calculation
includes the routing header, so it provides end-to-end authentication of the
routing header contents.

The interaction between routing headers & IPsec & mobility that I'm
concerned with is:
- what kind of IPsec processing should a node processing a router header do?

I think the answer is, it should be analogous to the processing done by a
security gateway that is forwarding a packet.

- what kind of IPsec processing should a node sending a packet with a
routing header do?

I think the answer is there should be an outbound SPD lookup based on the
final destination address, and the appropriate SAs should be applied to the
packet, then there should be another outbound SPD lookup based on the first
intermediate destination address, and this could result in additional
tunnel-mode SAs that should be applied to the packet.


> > To make this concrete, suppose we have four nodes A, B, C, 
> D. Node A sends a
> > packet with a routing header through nodes B and C to node 
> D. Node A can
> > have tunnel and/or transport mode associations with node D, 
> say for example
> > transport-mode AH.
> 
> Great example!  The packet would look like:
> 
> 	IPv6 hdr dst B, src A
> 	Routing hdr, segments left = 2, addrs C, D
> 	AH (with SA residing on D)
> 	Transport hdr
> 
> That's all you need to do!  The source route in question can 
> be authenticated
> using AH.

But suppose the outbound SPD in node A says that when A sends a packet to B,
it should be sent via tunnel-mode ESP to a security gateway SG. Then the
packet sent by A will look like:

	IPv6 hdr dst SG, src A
	ESP (SA between A and SG)
	IPv6 hdr dst B, src A
	AH (SA between A and D)
	Transport hdr

The point being that node A will need to do two separate lookups in its
outbound SPD when it sends a packet with a routing header.

Thanks,
Rich

Follow-Ups:

Re: Last Call: Mobility Support in IPv6 to Proposed Standard

From: Dan McDonald <danmcd@Eng.Sun.Com>

RE: Last Call: Mobility Support in IPv6 to Proposed Standard

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Bridging non-IP traffic over IPSec
Next by Date: Re: Last Call: Mobility Support in IPv6 to Proposed Standard
Prev by thread: Re: Last Call: Mobility Support in IPv6 to Proposed Standard
Next by thread: Re: Last Call: Mobility Support in IPv6 to Proposed Standard
Index(es):
- Main
- Thread