[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec and RTP crypto
>>>> Stephen Kent <kent@bbn.com> 04/04/01 11:33AM >>>
>At 12:47 PM -0400 4/4/01, Bill Sommerfeld wrote:
>> > Jeff Schiller according to Basavaraj Patil's
>>> minutes (mobile IP WG chair) quotes Jeff as saying
>>> that IPsec is not really a good fit in situations
>>> where you want to protect some of the traffic, but
>>> not all of the traffic to another host.
>>
>>IPsec is a poor fit when you only want to protect some traffic of a
>>particular flow (e.g., only packets which contain passwords, or only
>>the packets with a mobile ip binding update).
i don't think it a "poor fit" by definition.
it highly depends on the design of your policy engine, and API
for security extension. I can think of RFC2292-like API if you want
to control per-packet IPsec requirements, if such a requirement exists
(yes, it is hard to control policy for a certain segment in TCP flow.
but it is inherently hard for TCP API, this is independent from ipsec).
for mobile-ip6 in particular, it is very easy to use particular
protection mechanism for outgoing/incoming binding updates.
binding updates are normally sent by kernel and received
by kernel, so it is trivial for us to tweak/annotate policy lookup.
even with a packet with piggybacked binding update, it is not that hard.
i don't think it a "poor fit" in mobile-ip6 case.
itojun
Follow-Ups:
References: