[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mobile IPv6 - IPsec interaction.



 In your previous mail you wrote:

   Not really. The Phase I identity is checked against the certificate,
   and that identity is also used to search for the policy rules allowed
   for the host. And that policy rule must then allow for that host to
   create tunnel between those two hosts. The ip-number does not have to
   be in the certificate (it can be and you can use that to verify that
   it is correct), it can also be in the external policy mapping saying
   that kivinen@ssh.fi can use home addresses of 11.22.33.44 or
   11.22.33.45 (lets say I have my laptop and also my cellular phone, and
   both of them are using the certificate I have on the smartcard to
   authenticate themselves). 
   
=> if I have understood you said that the proved phase I identity is
used for the policy lookup and the policy says this peer can use this
and this home address. And the policy can be coded in the certificate
(I can see for addresses but not for the permission itself) or in the
external policy or both. Can you give more details how this can be
done (or how it *is* done)?`

   > So, for every cell phone assume i have such a certificate issued.
   
   I think that is the only way to do it... Pre-shared keys are just out
   of question in that case... 
   
=> I don't believe certificates are mandatory (the key for policy lookup
is the phase I identity) but of course they make the world easier.

   > Assume i am using this to connect to some web site. As i keep
   > moving, i keep sending binding updates to the server that
   > i am connected to. Is it practical to assume that any
   > arbitrary server that i connect to, will be able to get to
   > these certificates and do these policy checks ?  How
   > does the server get to this policy information ?
   
   If I understand correctly you send those binding updates to your home
   agent, not to each web server.
   
=> to setup SAs with the home agent is critical, to setup SAs with each
web server is not but to fail to do this will kill the routing optimization
which is the mobile IPv6 main argument (ie. this is not a "must" but
a strong "should". Of course this is not easy :-).

   If you really need to have SA between two random hosts in the
   internet, then you need global PKI.

=> this was my first answer to this issue but fortunately in the
future/expected common case for mobile IPv6 the nodes are not really
random (ie. replace some web site by a well known web proxy: easier,
isn't it?)

Thanks

Francis.Dupont@enst-bretagne.fr

PS: our target is to prove the authorization issue of mobile IPv6 can
be solved. Of course a constructive proof would be very fine and perhaps
there is already one from VPN area.


References: