[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: (IPng 7222) Re: Last Call: Mobility Support in IPv6 to Propos ed Standard
Rich,
>> A very concrete, simple example: consider a node SG. SG has two
>> interfaces, an interface to the public network and an interface on
>> a private network. Node A is on the public network and node B is
>> on the private network. The SPD on SG requires all traffic through
>> it to & from the public network to be protected with tunnel-mode
>> ESP. This is a classic security gateway scenario. So in the normal
>> case when node A sends a packet to node B, it will look
>> like
>> IPv6 hdr - src A, dst SG
>> ESP
>> IPv6 hdr - src A, dst B
>> Transport hdr
I thought that a tunnel interface would have a separate
address from the public interface on node A. Therefore the
message above would become:
IPv6 hdr - src A, dst SG
ESP with SG
IPv6 hdr - src Atunnel, dst B
Transport hdr
As A moves around the public internet, it has to tell
SG it's new location, not B. Its tunnel interface address
never changes. If node B moves, it tells "Atunnel" what
routing header to use. The resulting message from A would
look like:
IPv6 hdr - src A, dst SG
ESP with SG
IPv6 hdr - src Atunnel, dst B's care-of-addr
Routing hdr - segs left = 1, B
Transport hdr
I don't see the problem when node's A and B move.
I haven't thought the details of what happens when
a node moves across the internet/intranet boundary,
or when SG renumbers on either interface. You do
run into problems when the "Atunnel" address is
derived from "A". In such a case, "Atunnel" would
have to change at the same time "A" changes, forcing
two routing headers, one before the ESP and one after.
Ken