[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPSEC, IPv6 and mobile IP
I'm hoping to build an IPv6 stack in modular way and minimize the
interdependence of various components, such as IPSEC and Mobile-IP.
In IPv4 AH implementation was fairly easy and deterministic, but with
IPv6 AH appears to be a headache...
What I hope is to build the packet incrementally by calling various
modules in sequence. Now consider this on mobile hosts with
HA=home address,
CA=care address ,
RCA=Remote care address,
RHA=Remote home address
I have two possible call sequences for outgoing traffic
a) mobible-IP, IPSEC
Start:
ip(HA->RHA)
Apply mobile-IP
ip(CA,RCA),Rth(RHA),DestOpt(Home=CA)
Apply IPSEC (AH) [two possible positions for AH, but not the problem]
1) ip(CA,RCA),Rth(RHA),AH,DestOpt(Home=CA)
2) ip(CA,RCA),Rth(RHA),DestOpt(Home=CA),AH
Ooops! I can only create SA's between care addresses, i cannot have
associations betwen home addresses (HA/RHA), because at this point
I don't see those anymore.
b) IPSEC, mobile-IP
Start:
ip(HA->RHA)
Apply IPSEC
ip(HA->RHA),AH
Apply Mobile-IP
Ooops! Cannot insert DestOpt or Routing header, because they are
not included in AH. I suppose I could do a "tunnel trick?", and
produce
ip(CA->RCA),Rth(RHA),ip(HA->RHA),AH
This would work? I would not need "home address option"?
--
*If* I inserted the DestOpt and routing header, the result would be
ip(CA->RCA),Rth(RHA),DestOpt(HA),AH
which would fail on remote AH, because it is required to check all
headers in front of AH. It would cause no problems if headers were
processed sequentially, first Rth and DestOpt, resulting
ip(HA->RHA),AH
and applying AH to this would succeed nicely (of course, leaving no
protection on Rth or DestOpt). (DestOpt could be protected by
putting the AH before it, but there is no such solution for the
routing header).
--
I thougth the IPv6 idea was to allow processing the extension headers
sequentially one at time, and IPSEC AH appears to contradict this
seriously.
Just wondering if it would be a better world if the sequential
approach was strictly applied and AH would only protect the plain IPv6
header?
--
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/
Follow-Ups: