[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: (IPng 7211) RE: Last Call: Mobility Support in IPv6 to Propos ed Standard
Steve Kent and I have talked this over off-line and come to agreement.
(Actually, I think we were already in agreement, we just weren't
communicating effectively via email.) We agree on the following two points:
1. A node will only process an ESP or AH header if it is participating in
the relevant security association. In particular, a node processing a
routing header will not "snoop" into ESP & AH headers that are not
associated with the node.
For example, node A receives a packet
IPv6 hdr - src X, dst A
ESP tunnel-mode assoc X -> A
IPv6 hdr - src X, dst A
Routing hdr - segs left = 1, B
Transport hdr
In this case node A WILL process the ESP header.
IPv6 hdr - src X, dst A
Routing hdr - segs left = 1, B
ESP transport-mode assoc X -> B
Transport hdr
In this case node A will NOT process the ESP header.
2. In any case, an IPsec-enabled node that is processing a routing header
(with segs left != 0) and hence forwarding a packet must perform inbound and
outbound security policy checks. The IPsec processing in this situation is
the same as the IPsec processing performed by a security gateway that is
forwarding a packet not destined for itself.
Thanks,
Rich