[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: (IPng 7211) RE: Last Call: Mobility Support in IPv6 to Propos ed Standard

To: Richard Draves <richdr@microsoft.com>
Subject: RE: (IPng 7211) RE: Last Call: Mobility Support in IPv6 to Propos ed Standard
From: Stephen Kent <kent@bbn.com>
Date: Tue, 23 Feb 1999 12:48:35 -0500
Cc: "'Quaizar Vohra'" <qv@3com.com>, mobile-ip@smallworks.com, ipng@sunroof.Eng.Sun.COM, ipsec@tis.com
In-Reply-To: <4D0A23B3F74DD111ACCD00805F31D8100AF81D8C@RED-MSG-50>
Sender: owner-ipsec@ex.tis.com

Richard,

	<snip>
>
>I don't understand how it can be legitimate for an IPsec-enabled node that
>is receiving a packet with a routing header to bypass inbound IPsec
>processing.

There is no contradiction here if the node is not a party to an SA
associated with the IPsec headers in the packet in question.  A security
policy at an intermediate node could allow traffic to transit without Ipsec
processing, if it "appeared" that such processing had been applied already.
I'm not suggesting that this is good or bad, just making an observation
about what it means to implement IPsec at an SG vs. what it implies for
processing of transit traffic.  I don'ty necessarily think we're in
disagreement here, but I didn't agree with your characterization of the
situation, in the cited paragraph.

Steve

References:

RE: (IPng 7211) RE: Last Call: Mobility Support in IPv6 to Proposed Standard

From: Richard Draves <richdr@microsoft.com>

Prev by Date: RE: (IPng 7222) Re: Last Call: Mobility Support in IPv6 to Propos ed Standard
Next by Date: RE: (IPng 7222) Re: Last Call: Mobility Support in IPv6 to Propos ed Standard
Prev by thread: (IPng 7222) Re: Last Call: Mobility Support in IPv6 to Proposed Standard
Next by thread: Handling of Life Two life times
Index(es):
- Main
- Thread