[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSEC, IPv6 and mobile IP

To: ipsec@lists.tislabs.com
Subject: IPSEC, IPv6 and mobile IP
From: Markku Savela <msa@anise.tte.vtt.fi>
Date: Fri, 18 Jun 1999 18:27:02 +0300 (EET DST)
Reply-to: msa@hemuli.tte.vtt.fi (Markku Savela)
Sender: owner-ipsec@lists.tislabs.com

I'm hoping to build an IPv6 stack in modular way and minimize the
interdependence of various components, such as IPSEC and Mobile-IP.

In IPv4 AH implementation was fairly easy and deterministic, but with
IPv6 AH appears to be a headache...

What I hope is to build the packet incrementally by calling various
modules in sequence. Now consider this on mobile hosts with

 HA=home address,
 CA=care address ,
 RCA=Remote care address,
 RHA=Remote home address

I have two possible call sequences for outgoing traffic

a) mobible-IP, IPSEC

   Start:
	ip(HA->RHA)
   Apply mobile-IP
	ip(CA,RCA),Rth(RHA),DestOpt(Home=CA)

   Apply IPSEC (AH) [two possible positions for AH, but not the problem]

	1) ip(CA,RCA),Rth(RHA),AH,DestOpt(Home=CA) 
	2) ip(CA,RCA),Rth(RHA),DestOpt(Home=CA),AH

   Ooops! I can only create SA's between care addresses, i cannot have
   associations betwen home addresses (HA/RHA), because at this point
   I don't see those anymore.


b) IPSEC, mobile-IP

   Start:
	ip(HA->RHA)
   Apply IPSEC
	ip(HA->RHA),AH
   Apply Mobile-IP

   Ooops! Cannot insert DestOpt or Routing header, because they are
   not included in AH. I suppose I could do a "tunnel trick?", and
   produce

	ip(CA->RCA),Rth(RHA),ip(HA->RHA),AH

   This would work? I would not need "home address option"?

--
   *If* I inserted the DestOpt and routing header, the result would be

	ip(CA->RCA),Rth(RHA),DestOpt(HA),AH

   which would fail on remote AH, because it is required to check all
   headers in front of AH. It would cause no problems if headers were
   processed sequentially, first Rth and DestOpt, resulting

	ip(HA->RHA),AH

   and applying AH to this would succeed nicely (of course, leaving no
   protection on Rth or DestOpt). (DestOpt could be protected by
   putting the AH before it, but there is no such solution for the
   routing header).

--

I thougth the IPv6 idea was to allow processing the extension headers
sequentially one at time, and IPSEC AH appears to contradict this
seriously. 

Just wondering if it would be a better world if the sequential
approach was strictly applied and AH would only protect the plain IPv6
header?

-- 
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/

Follow-Ups:

Re: IPSEC, IPv6 and mobile IP

From: Jun-ichiro itojun Hagino <itojun@itojun.org>

Prev by Date: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Next by Date: Re: issues from the bakeoff
Prev by thread: FW: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Next by thread: Re: IPSEC, IPv6 and mobile IP
Index(es):
- Main
- Thread