RE: (IPng 7222) Re: Last Call: Mobility Support in IPv6 to Propos ed Standard

[Richard Draves <richdr@microsoft.com>]

> >> A very concrete, simple example: consider a node SG. SG has two
> >> interfaces, an interface to the public network and an interface on
> >> a private network. Node A is on the public network and node B is
> >> on the private network. The SPD on SG requires all traffic through
> >> it to & from the public network to be protected with tunnel-mode
> >> ESP. This is a classic security gateway scenario. So in the normal
> >> case when node A sends a packet to node B, it will look
> >> like
> >>	IPv6 hdr - src A, dst SG
> >>	ESP
> >>	IPv6 hdr - src A, dst B
> >>	Transport hdr
> 
> I thought that a tunnel interface would have a separate
> address from the public interface on node A. Therefore the
> message above would become:
> 
> 	IPv6 hdr - src A, dst SG
> 	ESP with SG
> 	IPv6 hdr - src Atunnel, dst B
> 	Transport hdr

Ken, this is a generic IPsec security gateway example with no routing header
or mobility involved at this point. So I hope we can agree :-).

I don't see why node A needs two addresses? Although node A has a
tunnel-mode security association with SG, this does not imply that A has
some kind of tunnel interface with a separate address assigned to the tunnel
interface. Maybe some implementations will work that way, but it's certainly
not required or usual, I believe.

Thanks,
Rich

---

• Prev by Date: RE: (IPng 7211) RE: Last Call: Mobility Support in IPv6 to Propos ed Standard
• Next by Date: RE: (IPng 7211) RE: Last Call: Mobility Support in IPv6 to Propos ed Standard
• Prev by thread: RE: (IPng 7222) Re: Last Call: Mobility Support in IPv6 to Propos ed Standard
• Next by thread: Comments/Observations on IPSec/PKI Requirements
• Index(es):
  • Main
  • Thread