[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simplifying IKE
>> Either way, if some packets--those with Binding Updates-- are received with
>> IPsec protection and others-- those without Binding Updates-- are not then
>> we're going to have a problem.
> If the packet has some form of authentication (I'll not prejudge by saying
>AH), and this is noted in the control structure, then the piece that
>processes the Binding Update says "okay, it was protected".
> The TCP layer (or whatever) above it didn't require that the packet was
>protected (or not), so it goes on. If the system policy required all packets
>to be authenticated, then TCP would check that.
>
> Dan McDonald? Bill Sommerfeld? Itojun?
> Does this make sense?
(not about the ipsec issue... anyway...)
The above is basically what we (itojun + Dave Johnson) thought
around 09 -> 10 mobile-ip6 spec (when we put more details on
IPsec manipulation). there were issues raised at IETF50 about policy
lookup in such cases. a point was made that there are implementations
that are not flexible enough to permit such a tweak.
now I believe that we should avoid piggybacking the binding
updates onto normal packets. if we treat them separately, we can
decide IPsec policy completely in a independent manner.
I believe it okay to use IPsec with mobile-ip6. we don't need to
invent a new authentication mechanism. another point made at IETF50
about mobile-ip6 was the lack of PKI infrastructure, which is, a
hard problem by itself and noone is going to be able ot solve this.
itojun
References: