Re: IPsec and RTP crypto

[itojun@iijlab.net]

>>>> Stephen Kent <kent@bbn.com> 04/04/01 11:33AM >>>
>At 12:47 PM -0400 4/4/01, Bill Sommerfeld wrote:
>>  > Jeff Schiller according to Basavaraj Patil's
>>>  minutes (mobile IP WG chair) quotes Jeff as saying
>>>  that IPsec is not really a good fit in situations
>>>  where you want to protect some of the traffic, but
>>>  not all of the traffic to another host.
>>
>>IPsec is a poor fit when you only want to protect some traffic of a
>>particular flow (e.g., only packets which contain passwords, or only
>>the packets with a mobile ip binding update).

	i don't think it a "poor fit" by definition.
	it highly depends on the design of your policy engine, and API
	for security extension.  I can think of RFC2292-like API if you want
	to control per-packet IPsec requirements, if such a requirement exists
	(yes, it is hard to control policy for a certain segment in TCP flow.
	but it is inherently hard for TCP API, this is independent from ipsec).

	for mobile-ip6 in particular, it is very easy to use particular
	protection mechanism for outgoing/incoming binding updates.
	binding updates are normally sent by kernel and received
	by kernel, so it is trivial for us to tweak/annotate policy lookup.
	even with a packet with piggybacked binding update, it is not that hard.
	i don't think it a "poor fit" in mobile-ip6 case.

itojun

---

Follow-Ups:

• Re: IPsec and RTP crypto
• From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

References:

• Re: IPsec and RTP crypto
• From: "Hilarie Orman" <HORMAN@volera.com>

---

• Prev by Date: Re: Death to AH (was Re: SA identification)
• Next by Date: Re: IPsec and RTP crypto
• Prev by thread: Re: IPsec and RTP crypto
• Next by thread: Re: IPsec and RTP crypto
• Index(es):
  • Main
  • Thread