Re: Simplifying IKE

[Jun-ichiro itojun Hagino <itojun@iijlab.net>]

>> Either way, if some packets--those with Binding Updates-- are received with
>> IPsec protection and others-- those without Binding Updates-- are not then
>> we're going to have a problem.
>  If the packet has some form of authentication (I'll not prejudge by saying
>AH), and this is noted in the control structure, then the piece that
>processes the Binding Update says "okay, it was protected".
>  The TCP layer (or whatever) above it didn't require that the packet was
>protected (or not), so it goes on. If the system policy required all packets
>to be authenticated, then TCP would check that.
>
>  Dan McDonald? Bill Sommerfeld? Itojun? 
>  Does this make sense?

	(not about the ipsec issue... anyway...)

	The above is basically what we (itojun + Dave Johnson) thought
	around 09 -> 10 mobile-ip6 spec (when we put more details on
	IPsec manipulation).  there were issues raised at IETF50 about policy
	lookup in such cases.  a point was made that there are implementations
	that are not flexible enough to permit such a tweak.

	now I believe that we should avoid piggybacking the binding
	updates onto normal packets.  if we treat them separately, we can
	decide IPsec policy completely in a independent manner.
	I believe it okay to use IPsec with mobile-ip6.  we don't need to
	invent a new authentication mechanism.  another point made at IETF50
	about mobile-ip6 was the lack of PKI infrastructure, which is, a
	hard problem by itself and noone is going to be able ot solve this.

itojun

---

References:

• Re: Simplifying IKE
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

---

• Prev by Date: Re: having and eating cake? agressive mode with identity hiding
• Next by Date: Re: having and eating cake? agressive mode with identity hiding
• Prev by thread: Re: Simplifying IKE
• Next by thread: Re: Simplifying IKE
• Index(es):
  • Main
  • Thread