[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mobile IPv6 - IPsec interaction.

To: Derek Atkins <warlord@mit.edu>
Subject: Re: Mobile IPv6 - IPsec interaction.
From: "Angelos D. Keromytis" <angelos@cis.upenn.edu>
Date: Thu, 04 Jan 2001 17:11:28 -0500
Cc: Francis Dupont <Francis.Dupont@enst-bretagne.fr>, Tero Kivinen <kivinen@ssh.fi>, Mohan Parthasarathy <Mohan.Parthasarathy@Eng.Sun.COM>, ipsec@lists.tislabs.com
In-reply-to: Your message of "04 Jan 2001 17:03:23 EST." <sjm3dezrn4k.fsf@rcn.ihtfp.org>
Sender: owner-ipsec@lists.tislabs.com


In message <sjm3dezrn4k.fsf@rcn.ihtfp.org>, Derek Atkins writes:
 >
 >Unfortunately there is no standard certificate exchange format for
 >IPSec (yet?).  But you are right, if you have a real certificate with
 >a real i-d binding, then yes, you don't need to include the key in the
 >policy, the identification is sufficient.

Even PKIX is sufficient for *that* (use the SubjAltName), and most
implementations (not FreeSWAN) support that.

 >But snide comments aside, you _can_ do this today: you set your policy
 >to build a tunnel that authorizes your mobile host (based on some
 >identification) to tunnel packets as your home address.  Seriously, it
 >is that simple.  I admit that _how_ you set your policy is IPSec
 >implementation specific.  However, _what_ you need to setup isn't.

Absolutely. I know OpenBSD supports this, and I believe KAME does as
well. I'd be surprised if major vendors can't do this as well.
-Angelos

References:

Re: Mobile IPv6 - IPsec interaction.

From: Derek Atkins <warlord@mit.edu>

Prev by Date: Re: Mobile IPv6 - IPsec interaction.
Next by Date: Re: Mobile IPv6 - IPsec interaction.
Prev by thread: Re: Mobile IPv6 - IPsec interaction.
Next by thread: Re: Mobile IPv6 - IPsec interaction.
Index(es):
- Main
- Thread