[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (mobile-ip) RE: (IPng 7211) RE: Last Call: Mobility Support in IPv6 to Propos ed Standard

> My first email on this subject suggested that a correspondent node should
> perform outbound IPsec processing twice: first looking up a security policy
> using the home address as the destination address selector and applying the
> resulting security associations, and then doing another security policy
> database lookup using the care-of address as the destination address
> selector and applying the additional security associations.

Let me try to add some more complexity to the brew:
When two mobile nodes communicate there are actually 4 IP addresses
in use since each of them have a care-of-address and a home address.
Does that mean you need to do 4 SPD lookups for the 4 combinations of
source and destination?
	Source home address -> Destination home address
	Source home address -> Destination COA
	Source COA -> Destination home address
	Source COA -> Destination COA

What about the case when the correspondent doesn't have a binding cache
entries - perhaps due to transient behavior (the first few packets) or
perhaps due to the mobile wanting location privacy.
Does the policy have to be coordinated between the correspondent host
and the home agent that will tunnel the packet in those cases?
What about when the CH and the HA are part of different admin domains?