[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE




>> 	(not about the ipsec issue... anyway...)
>
>> 	The above is basically what we (itojun + Dave Johnson) thought
>> 	around 09 -> 10 mobile-ip6 spec (when we put more details on
>> 	IPsec manipulation).  there were issues raised at IETF50 about policy
>> 	lookup in such cases.  a point was made that there are implementations
>> 	that are not flexible enough to permit such a tweak.
>  Host implementations? Or bump in the stack implementations?
>  I really think that this is something which requires integration to get right.

	no real example was given, IIRC.

>> 	now I believe that we should avoid piggybacking the binding
>> 	updates onto normal packets.  if we treat them separately, we can
>> 	decide IPsec policy completely in a independent manner.
>  I feel uncomfortable about this.
>  I'm not sure why yet.

	uncomfortable about forbidding piggybacking binding updates?  why?

>> 	I believe it okay to use IPsec with mobile-ip6.  we don't need to
>> 	invent a new authentication mechanism.  another point made at IETF50
>> 	about mobile-ip6 was the lack of PKI infrastructure, which is, a
>> 	hard problem by itself and noone is going to be able ot solve this.
>  Well, the failure for an end node to authenticate the binding update is
>that it must continue to use the home agent. It is less efficient, but it
>works. 

	yes.  it will go through inefficient path but works.

	my point is, inventing a new security mechanism for mobile-ip6 does not
	worth an effort, because regardless from authentication mechanism we
	are going to use to authenticate binding update, they would require
	PKI infrastructure, therefore, they will fail to satisfy the
	requirement posed by the comment to mobile-ip6 + IPsec.
	are there any trustworthy authentication mechanism that works WITHOUT
	PKI?  what are we authenticating in that case?

>  I'm not yet seen a mobilev6+IPsec implementation that I could use even if I
>pre-exchanged all the public keys. I'm hopeful that I'll see this soon.

	NEC and Keio SFC both do (or did in some point in the past)
	mobile-ip6 + IPsec with manual keying.

itojun


References: