[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Revised Mobile IPv6 draft available




>>Source address (whether it is ip6_src or home address option)
>>is still very important.  When you negotiate the key
>>with the peer, IKE runs between (src, dst) pair.
>Couldn't the source just be selected by the sender?  For multiple address on
>an interface, the best address is selected.  My statements above handles
>specifying a source for the SA.  Since I am not implementing IKE, I might be
>missing something.

	I may have replied this one, so ignore it if it is a duplicate.

	IKE must be run over src-dst pair which is to be used by IPsec.
	If IPsec needs a SA between (src home addr, dst), IKE must be run
	over (src home addr, dst) pair.  This causes nasty bootstrap problem,
	like:
	- mobile node wishes to send tcp packet with (src home addr, dst) in
	  the header
	- SA is looked up between (src home addr, dst)
	- since there's no SA, IKE daemon is invoked for new key
	- IKE daemon tries to send udp port 500 packet over (src home addr, dst)
	- infinite loop

	I've talked with Dave at Oslo IETF, about how mobile-ipv6 packet
	must be processed on inbound and outbound case, with regard to ipsec.
	He will be sending addition to the draft onto the list.

itojun



References: