[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 Neighbour Solicitation messages and IPsec

To: "Stephen Kent" <kent@bbn.com>
Subject: Re: IPv6 Neighbour Solicitation messages and IPsec
From: "Jari Arkko" <jari.arkko@kolumbus.fi>
Date: Mon, 8 Jan 2001 00:18:43 +0200
Cc: <ipsec@lists.tislabs.com>, <aidan.williams@motorola.com>, <ipng@sunroof.eng.sun.com>
References: <008e01c0610c$16237c20$8a1b6e0a@arenanet.fi> <20001211082557.A2125@orca.informatik.uni-ulm.de> <3A362BA2.D7EF1481@piuha.net> <v04220806b65ef757f24f@[128.33.238.82]> <3A3F276E.D84D9839@piuha.net> <v04220812b66fdc7dca20@[171.78.30.107]>
Sender: owner-ipsec@lists.tislabs.com

Stephen writes:

>I'm not an IPv6 expert, but it seems that the issue here is who emits the message, not just what ICMP >message is being emitted.
>An IPsec implementation (gateway or host) has an ability to bypass control traffic that it emits, >irrespective of SPD contents.
So, I would expect that ICMP messages used for neighbor solicitation, >advertisement, and autoconfig, etc. would fall into this
category.

True.Though I'm worried that we don't specify anywhere how to bypass and what,
possibly leading to interoperability problems.

>Today we provide port-level controls, for UDP and TCP traffic, so adding ICMP-specific controls >represents a significant change.
We'll have to evaluate the requirement for this sort of change very >
>carefully.

Yes, I agree. ICMP-specific controls aren't the only option, by the way.
We could also have IPsec implementations hard code the handling of
certain messages. I've got a feeling that this is what implementors are
doing. (True?)

Please note also that it seems like we need to do *something*, i.e. the
requested functionality isn't optional nice-to-have features. If we don't
either specify the rules regarding some of these ICMPs and we don't
give fine-grained control to the user, the chances are that implementation
A isn't going to work with implementation B. For instance, in view of the
the problems with Neighbour Advertisement messages, implementation
A bypasses these messages alltogether (or at least for dynamic policies).
Implementation B however chooses to bypass the messages when there
is no SA yet, and to require the use of the SA when one has been negotiated.
You can get A to talk to B, but if reachability detection kicks in (uses
the NA messages too), packets stop flowing!

>>Finally, I would propose that everywhere in the ICMPv6 specifications
>>where it says "AH", tunnel mode ESP would suffice as well.
>
>This last suggestion is a topic for a different debate, and I would suggest
>not including it in this discussion

Yeah. You're right.

Jari
----
http://www.arkko.com

Prev by Date: Re: Mobile IPv6 - IPsec interaction.
Next by Date: RE: Aggressive/Base Mode Signature Queries
Prev by thread: Re: Aggressive/Base Mode Signature Queries
Next by thread: No Subject
Index(es):
- Main
- Thread