[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Last Call: Mobility Support in IPv6 to Proposed Standard

To: "'Stephen Kent'" <kent@bbn.com>
Subject: RE: Last Call: Mobility Support in IPv6 to Proposed Standard
From: Richard Draves <richdr@microsoft.com>
Date: Fri, 19 Feb 1999 13:23:26 -0800
Cc: "'Dan McDonald'" <danmcd@Eng.Sun.Com>, mobile-ip@smallworks.com, ipng@sunroof.Eng.Sun.COM, ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

> The IPsec architecture does not envision processing by 
> intermediate nodes
> in the fashion you allude to. Only end systems and security gateways
> perform IPsec processing, and they are arranged in pairs to 
> bracket SAs.

I'm not suggesting anything that would change the pairwise nature of
security associations. I'm suggesting that intermediate destination node
that is processing a  routing header be treated as a security gateway, so
the sending node can have tunnel-mode security associations with the
intermediate node and the sending node can have security associations with
the final destination node.

What alternative are you suggesting? Are you saying that an IPsec-enabled
node should drop any packet with a routing header? Or are you saying that an
IPsec-enabled node should process the routing header & forward the packet
and bypass all IPsec processing?

Thanks,
Rich

Follow-Ups:

(IPng 7211) RE: Last Call: Mobility Support in IPv6 to Proposed Standard

From: Quaizar Vohra <qv@3com.com>

Prev by Date: Re: Bridging non-IP traffic over IPSec
Next by Date: Re: Bridging non-IP traffic over IPSec
Prev by thread: Re: Last Call: Mobility Support in IPv6 to Proposed Standard
Next by thread: (IPng 7211) RE: Last Call: Mobility Support in IPv6 to Proposed Standard
Index(es):
- Main
- Thread