[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPSec - SPD/SADB and Mobile IP
> 1)Is there any document or draft or rfc that explains how the SPD and SADB
> entries should look like and their
> relationships and also with interfaces and accesslists in IPSec and IKE ?
> 2) Erik Nordmark wrote:
> > > My first email on this subject suggested that a correspondent node should
> > > perform outbound IPsec processing twice: first looking up a security policy
> > > using the home address as the destination address selector and applying the
> > > resulting security associations, and then doing another security policy
> > > database lookup using the care-of address as the destination address
> > > selector and applying the additional security associations.
> > Let me try to add some more complexity to the brew:
> > When two mobile nodes communicate there are actually 4 IP addresses
> > in use since each of them have a care-of-address and a home address.
> > Does that mean you need to do 4 SPD lookups for the 4 combinations of
> > source and destination?
> > Source home address -> Destination home address
> > Source home address -> Destination COA
> > Source COA -> Destination home address
> > Source COA -> Destination COA
> > What about the case when the correspondent doesn't have a binding cache
> > entries - perhaps due to transient behavior (the first few packets) or
> > perhaps due to the mobile wanting location privacy.
> > Does the policy have to be coordinated between the correspondent host
> > and the home agent that will tunnel the packet in those cases?
> > What about when the CH and the HA are part of different admin domains?
> > Erik