[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC 2401 section 5.2.1





itojun@iijlab.net a écrit :

> >On Sun, 19 Nov 2000, Richard Draves wrote:
> >> a) Do you agree that Mobile IPv6's requirement that AH be used and not ESP
> >> is too restrictive?
> >Strongly agree.  We'd like to see AH die entirely, and hence are opposed
> >to having any other standard demand its continued survival.
>
>         (again this holy war on AH)
>         I don't.  if you use transport mode IPsec heavily (unlike today's
>         VPN-only situation) how can you protect your header portion?

JMC :
You will use a Alternate Care-of Address Sub-Option, containing the CoA ( == IPv6
Hdr Src Addr), behind the DO-BU, but, IMO, this is a heavy solution : we have the
same thing twice ... In my point of view, DO-HA before AH/ESP plus AH mecanism is
the simplest solution.

>
>         since the introduction of IPsec there are so many protocols that rely
>         upon the use of IPsec to protect it.  I wonder what is their underlying
>         security model.
>
> itojun

JMC :
One thing I don't understand is what are the advantages to have the DO-HA behind
AH/ESP ? If it's a question of privacy (ie. hiding the MN location), I think that
doesn't resolve the problem unless to hide the Routing Header, which contains MN's
Home Address, coming from the Home Agent for the BAck.
On the other hand, having the DO-HA before the AH/ESP Hdr, will simplify
considerably filtering policy in FW (ie. filtering based on MN Home Address).

Regards.

--

France Telecom R&D - DTL/SSR
Jean-Michel COMBES, Internet/Intranet Security
E-Mail : jeanmichel.combes@rd.francetelecom.fr
Phone +33 (0)1 45 29 45 94, Fax +33 (0)1 45 29 65 19
PGP fingerprint : 07C6 37BF 4DE5 1CE1 EEB1 1F13 5D75 9E33 CFA7 0214




Follow-Ups: References: