[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call: Mobility Support in IPv6 to Proposed Standard
Sorry for my misunderstanding the question, Richard.
> The interaction between routing headers & IPsec & mobility that I'm
> concerned with is:
> - what kind of IPsec processing should a node processing a router header do?
>
> I think the answer is, it should be analogous to the processing done by a
> security gateway that is forwarding a packet.
I can understand sometimes wanting to do this. But do you want this to
happen all of the time?
> - what kind of IPsec processing should a node sending a packet with a
> routing header do?
>
> I think the answer is there should be an outbound SPD lookup based on the
> final destination address, and the appropriate SAs should be applied to the
> packet, then there should be another outbound SPD lookup based on the first
> intermediate destination address, and this could result in additional
> tunnel-mode SAs that should be applied to the packet.
Are you sure you want to do this? What problem does protecting the packet a
second time solve? If you have IPsec end-to-end, it is supposed to protect
you against bad guys along your path, even if the bad guys are explicitly
stated in a routing header (or are between your paths in an explicitly stated
routing header).
> But suppose the outbound SPD in node A says that when A sends a packet to B,
> it should be sent via tunnel-mode ESP to a security gateway SG. Then the
> packet sent by A will look like:
>
> IPv6 hdr dst SG, src A
> ESP (SA between A and SG)
> IPv6 hdr dst B, src A
> AH (SA between A and D)
> Transport hdr
>
> The point being that node A will need to do two separate lookups in its
> outbound SPD when it sends a packet with a routing header.
I understand why you'd want to default to a self-encapsulation if you need to
doubly-protect the packet. One _could_, however, do something like:
IPv6 hdr dst B, src A
ESP (SA dst B)
Routing Hdr (B, C, D)
AH (SA dst D)
Transport
but that would get really confusing in an implementation. I may have policy
that says protect traffix between A and B with transport ESP (or
none-specified, which could default to transport).
Let's hear more on this one, folks. Thanks to Richard for bringing it up!
Dan
References: