Re: Revised Mobile IPv6 draft available

[itojun@iijlab.net]

>>Source address (whether it is ip6_src or home address option)
>>is still very important.  When you negotiate the key
>>with the peer, IKE runs between (src, dst) pair.
>Couldn't the source just be selected by the sender?  For multiple address on
>an interface, the best address is selected.  My statements above handles
>specifying a source for the SA.  Since I am not implementing IKE, I might be
>missing something.

	IKE never select the address to use by its own.  IKE obeys the address
	the underlying communication is using.  IKE always use the address
	pair of the underlying communication.

	If the kernel would like to send a IPsec'ed packet with (src, dst)
	and found no key with it, it will make a upcall from kernel to IKE
	daemon for (src, dst) by using PF_KEY interface.
	IKE daemon will negotiate the key, using the (src, dst) pair.

		IPv6: "would like to throw a packet with src->dst,
			let's encrypt it"
		IPsec: "I have no key with me, need to ask IKE for key"
		  |
		  | kernel to userland message
		  v
		IKE: "I will negotiate the key for src->dst"

	The question here is: IPsec part must pick the source address to be
	used by IKE, and the IPsec part itself, from home address option
	or genine IPv6 source address.  Which is appropriate for which case?

itojun

---

References:

• Re: Revised Mobile IPv6 draft available
• From: "Aaron Griggs" <agriggs@east.isi.edu>

---

• Prev by Date: Re: Revised Mobile IPv6 draft available
• Next by Date: Re: Revised Mobile IPv6 draft available
• Prev by thread: Re: Revised Mobile IPv6 draft available
• Next by thread: Re: Revised Mobile IPv6 draft available
• Index(es):
  • Main
  • Thread