[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: (IPng 7211) RE: Last Call: Mobility Support in IPv6 to Propos ed Standard
> >I don't understand how it can be legitimate for an
> IPsec-enabled node that
> >is receiving a packet with a routing header to bypass inbound IPsec
> >processing.
>
> There is no contradiction here if the node is not a party to an SA
> associated with the IPsec headers in the packet in question.
> A security
> policy at an intermediate node could allow traffic to transit
> without Ipsec
> processing, if it "appeared" that such processing had been
> applied already.
> I'm not suggesting that this is good or bad, just making an
> observation
> about what it means to implement IPsec at an SG vs. what it
> implies for
> processing of transit traffic. I don'ty necessarily think we're in
> disagreement here, but I didn't agree with your
> characterization of the
> situation, in the cited paragraph.
Steve, perhaps Steve Deering is correct and my use of "IPsec processing" is
confusing.
Would you agree with this statement:
"An IPsec-enabled node that is processing a routing header must perform
inbound and outbound security policy checks, analogous to the checks
performed by security gateways."
If we are in agreement on this, then I'd like to move on to considering the
IPsec processing performed by a node generating a packet with a routing
header, with the case of a correspondent node sending a packet to a mobile
node being one example.
Thanks,
Rich
Follow-Ups: