[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: (IPng 7211) RE: Last Call: Mobility Support in IPv6 to Propos ed Standard

To: "'Mobile IP'" <mobile-ip@smallworks.com>, "'IPsec'" <ipsec@tis.com>, "'IPng List'" <ipng@sunroof.eng.sun.com>
Subject: RE: (IPng 7211) RE: Last Call: Mobility Support in IPv6 to Propos ed Standard
From: Richard Draves <richdr@microsoft.com>
Date: Thu, 25 Feb 1999 12:28:29 -0800
Cc: "'Stephen Kent'" <kent@bbn.com>
Sender: owner-ipsec@ex.tis.com

Steve Kent and I have talked this over off-line and come to agreement.
(Actually, I think we were already in agreement, we just weren't
communicating effectively via email.) We agree on the following two points:

1. A node will only process an ESP or AH header if it is participating in
the relevant security association. In particular, a node processing a
routing header will not "snoop" into ESP & AH headers that are not
associated with the node.

For example, node A receives a packet
	IPv6 hdr - src X, dst A
	ESP tunnel-mode assoc X -> A
	IPv6 hdr - src X, dst A
	Routing hdr - segs left = 1, B
	Transport hdr
In this case node A WILL process the ESP header.

	IPv6 hdr - src X, dst A
	Routing hdr - segs left = 1, B
	ESP transport-mode assoc X -> B
	Transport hdr
In this case node A will NOT process the ESP header.

2. In any case, an IPsec-enabled node that is processing a routing header
(with segs left != 0) and hence forwarding a packet must perform inbound and
outbound security policy checks. The IPsec processing in this situation is
the same as the IPsec processing performed by a security gateway that is
forwarding a packet not destined for itself.

Thanks,
Rich

Prev by Date: IPSEC stress tester?
Next by Date: Re: IPSEC stress tester?
Prev by thread: Re: (mobile-ip) RE: (IPng 7211) RE: Last Call: Mobility Support in IPv6 to Propos ed Standard
Next by thread: IPSEC sessions in Minneapolis IETF
Index(es):
- Main
- Thread