[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simplifying IKE
On Wed, 08 Aug 2001 15:39:32 EDT you wrote
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> >>>>> "Dan" == Dan Harkins <dharkins@lounge.org> writes:
> Dan> The problem with MIPv6 is that the Binding Update is a destination
> Dan> option which they would like authenticated. But there is no way for
> Dan> an IPsec selector to be defined to identify certain types of destin
>ation
> Dan> options. The choice is to authenticate _everything_ which they don'
>t
> Dan> want to do or authenticate _nothing_ which they can't do. This has
> Dan> nothing to do with IKE.
>
> Well, there is no standard way.
>
> Within a unified stack, (not BITW or BITS) the packets with the binding
> update can easily be marked for IPsec processor via out-of-band means
> (i.e. in the control structure).
Then the problem is on the other end. The selector either says every
packet _MUST_ be IPsec-protected or else it _MUST NOT_ be IPsec-protected.
Either way, if some packets--those with Binding Updates-- are received with
IPsec protection and others-- those without Binding Updates-- are not then
we're going to have a problem.
Dan.
Follow-Ups:
References: