[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Revised Mobile IPv6 draft available
>>Source address (whether it is ip6_src or home address option)
>>is still very important. When you negotiate the key
>>with the peer, IKE runs between (src, dst) pair.
>Couldn't the source just be selected by the sender? For multiple address on
>an interface, the best address is selected. My statements above handles
>specifying a source for the SA. Since I am not implementing IKE, I might be
>missing something.
I may have replied this one, so ignore it if it is a duplicate.
IKE must be run over src-dst pair which is to be used by IPsec.
If IPsec needs a SA between (src home addr, dst), IKE must be run
over (src home addr, dst) pair. This causes nasty bootstrap problem,
like:
- mobile node wishes to send tcp packet with (src home addr, dst) in
the header
- SA is looked up between (src home addr, dst)
- since there's no SA, IKE daemon is invoked for new key
- IKE daemon tries to send udp port 500 packet over (src home addr, dst)
- infinite loop
I've talked with Dave at Oslo IETF, about how mobile-ipv6 packet
must be processed on inbound and outbound case, with regard to ipsec.
He will be sending addition to the draft onto the list.
itojun
References: