[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: Mobility Support in IPv6 to Proposed Standard



Sorry for my misunderstanding the question, Richard.

> The interaction between routing headers & IPsec & mobility that I'm
> concerned with is:
> - what kind of IPsec processing should a node processing a router header do?
> 
> I think the answer is, it should be analogous to the processing done by a
> security gateway that is forwarding a packet.

I can understand sometimes wanting to do this.  But do you want this to
happen all of the time?

> - what kind of IPsec processing should a node sending a packet with a
> routing header do?
> 
> I think the answer is there should be an outbound SPD lookup based on the
> final destination address, and the appropriate SAs should be applied to the
> packet, then there should be another outbound SPD lookup based on the first
> intermediate destination address, and this could result in additional
> tunnel-mode SAs that should be applied to the packet.

Are you sure you want to do this?  What problem does protecting the packet a
second time solve?  If you have IPsec end-to-end, it is supposed to protect
you against bad guys along your path, even if the bad guys are explicitly
stated in a routing header (or are between your paths in an explicitly stated
routing header).

> But suppose the outbound SPD in node A says that when A sends a packet to B,
> it should be sent via tunnel-mode ESP to a security gateway SG. Then the
> packet sent by A will look like:
> 
> 	IPv6 hdr dst SG, src A
> 	ESP (SA between A and SG)
> 	IPv6 hdr dst B, src A
> 	AH (SA between A and D)
> 	Transport hdr
> 
> The point being that node A will need to do two separate lookups in its
> outbound SPD when it sends a packet with a routing header.

I understand why you'd want to default to a self-encapsulation if you need to
doubly-protect the packet.  One _could_, however, do something like:

	 IPv6 hdr dst B, src A
	 ESP (SA dst B)
	 Routing Hdr  (B, C, D)
	 AH (SA dst D)
	 Transport

but that would get really confusing in an implementation.  I may have policy
that says protect traffix between A and B with transport ESP (or
none-specified, which could default to transport).

Let's hear more on this one, folks.  Thanks to Richard for bringing it up!

Dan


References: