[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE

To: Jun-ichiro itojun Hagino <itojun@iijlab.net>
Subject: Re: Simplifying IKE
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Thu, 25 Oct 2001 18:43:12 -0400
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Wed, 15 Aug 2001 01:41:22 +0900." <20010814164122.68A287BA@starfruit.itojun.org>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Jun-ichiro" == Jun-ichiro itojun Hagino <itojun@iijlab.net> writes:
    mcr> If the packet has some form of authentication (I'll not prejudge by saying
    mcr> AH), and this is noted in the control structure, then the piece that
    mcr> processes the Binding Update says "okay, it was protected".
    mcr> The TCP layer (or whatever) above it didn't require that the packet was
    mcr> protected (or not), so it goes on. If the system policy required all packets
    mcr> to be authenticated, then TCP would check that.
    mcr> 
    mcr> Dan McDonald? Bill Sommerfeld? Itojun? 
    mcr> Does this make sense?

    Jun-ichiro> 	(not about the ipsec issue... anyway...)

    Jun-ichiro> 	The above is basically what we (itojun + Dave Johnson) thought
    Jun-ichiro> 	around 09 -> 10 mobile-ip6 spec (when we put more details on
    Jun-ichiro> 	IPsec manipulation).  there were issues raised at IETF50 about policy
    Jun-ichiro> 	lookup in such cases.  a point was made that there are implementations
    Jun-ichiro> 	that are not flexible enough to permit such a tweak.

  Host implementations? Or bump in the stack implementations?
  I really think that this is something which requires integration to get right.

    Jun-ichiro> 	now I believe that we should avoid piggybacking the binding
    Jun-ichiro> 	updates onto normal packets.  if we treat them separately, we can
    Jun-ichiro> 	decide IPsec policy completely in a independent manner.

  I feel uncomfortable about this.
  I'm not sure why yet.

    Jun-ichiro> 	I believe it okay to use IPsec with mobile-ip6.  we don't need to
    Jun-ichiro> 	invent a new authentication mechanism.  another point made at IETF50
    Jun-ichiro> 	about mobile-ip6 was the lack of PKI infrastructure, which is, a
    Jun-ichiro> 	hard problem by itself and noone is going to be able ot solve this.

  Well, the failure for an end node to authenticate the binding update is
that it must continue to use the home agent. It is less efficient, but it
works. 

  I'm not yet seen a mobilev6+IPsec implementation that I could use even if I
pre-exchanged all the public keys. I'm hopeful that I'll see this soon.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBO9iVf4qHRg3pndX9AQHVrQQAiNfcAGQcUsy68fFopI7edg2Kv90Ld0RM
F5OJeWMT8G4anTno/6fNfm6nxbzvjR0kOdvv/gU6+HEC5ky3nxAFVXNc1fN8zw5a
c/Vwbge6uGlT0YKurDYh8OH5KbHR0LOftWQV9DOFwySoZsdhqMAmTzz+oSDE5qSp
/zc0V3gH3as=
=rSbC
-----END PGP SIGNATURE-----

Follow-Ups:

Re: Simplifying IKE

From: itojun@iijlab.net

Re: Simplifying IKE

From: Michael Thomas <mat@cisco.com>

Prev by Date: Connectathon 2002 announcement
Next by Date: Re: Simplifying IKE
Prev by thread: Connectathon 2002 announcement
Next by thread: Re: Simplifying IKE
Index(es):
- Main
- Thread