IPSec - SPD/SADB and Mobile IP

["Sunil.Vallamkonda" <sunil@siara.com>]

> Hello,

>
> 1)Is there any document or draft or rfc that explains how the SPD and SADB
> entries should look like and their
> relationships and also with interfaces and accesslists in IPSec and IKE ?
>
> 2) Erik Nordmark wrote:
>
> > > My first email on this subject suggested that a correspondent node should
> > > perform outbound IPsec processing twice: first looking up a security policy
> > > using the home address as the destination address selector and applying the
> > > resulting security associations, and then doing another security policy
> > > database lookup using the care-of address as the destination address
> > > selector and applying the additional security associations.
> >
> > Let me try to add some more complexity to the brew:
> > When two mobile nodes communicate there are actually 4 IP addresses
> > in use since each of them have a care-of-address and a home address.
> > Does that mean you need to do 4 SPD lookups for the 4 combinations of
> > source and destination?
> >         Source home address -> Destination home address
> >         Source home address -> Destination COA
> >         Source COA -> Destination home address
> >         Source COA -> Destination COA
> >
> > What about the case when the correspondent doesn't have a binding cache
> > entries - perhaps due to transient behavior (the first few packets) or
> > perhaps due to the mobile wanting location privacy.
> > Does the policy have to be coordinated between the correspondent host
> > and the home agent that will tunnel the packet in those cases?
> > What about when the CH and the HA are part of different admin domains?
> >
> >   Erik

---

• Prev by Date: Returned mail: User unknown
• Next by Date: Re: RSA claiming trademark on all uses of "RSA" to describealgor ithm
• Prev by thread: Returned mail: User unknown
• Index(es):
  • Main
  • Thread