Re: Simplifying IKE

[Dan Harkins <dharkins@lounge.org>]

On Wed, 08 Aug 2001 15:39:32 EDT you wrote
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> 
>  >>>>> "Dan" == Dan Harkins <dharkins@lounge.org> writes:
>      Dan> The problem with MIPv6 is that the Binding Update is a destination
>      Dan> option which they would like authenticated. But there is no way for
>      Dan> an IPsec selector to be defined to identify certain types of destin
>ation
>      Dan> options. The choice is to authenticate _everything_ which they don'
>t
>      Dan> want to do or authenticate _nothing_ which they can't do. This has
>      Dan> nothing to do with IKE.
> 
>    Well, there is no standard way.
> 
>    Within a unified stack, (not BITW or BITS) the packets with the binding
> update can easily be marked for IPsec processor via out-of-band means
> (i.e. in the control structure). 

Then the problem is on the other end. The selector either says every 
packet _MUST_ be IPsec-protected or else it _MUST NOT_ be IPsec-protected.
Either way, if some packets--those with Binding Updates-- are received with
IPsec protection and others-- those without Binding Updates-- are not then
we're going to have a problem.

  Dan.

---

Follow-Ups:

• Re: Simplifying IKE
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:

• Re: Simplifying IKE
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

---

• Prev by Date: pki alt-subject and unstructured name
• Next by Date: Re: Simplifying IKE
• Prev by thread: Re: Simplifying IKE
• Next by thread: Re: Simplifying IKE
• Index(es):
  • Main
  • Thread