ID regarding interactions of IPSec encryption devices and mobile-ip (and other protocols)

[William D Ivancic <William.D.Ivancic@grc.nasa.gov>]

During my work with mobile-ipv4 mobile router code and deployment in 
operational networks, We have ran across a number of problems that had to 
be resolved.  Also, during my last trip to IETF (San Francisco), there was 
much talk in mobile-ip, NEMO and IPSec on the need for these groups to 
understand each others issues and workings as securing mobile users and 
networks is ..... challenging (nasty).

I wrote this draft in hopes of highlighting some of the issues and 
hopefully preventing others from banging their head against the walls 
trying to figure out why things don't work.   Also,  the NSA is currently 
working on a specification similar to IPSec and needs to understand some of 
these issues if they want to use such devices in mobile environments.

Any suggestions on improving this document would be greatly appreciated.

http://www.ietf.org/internet-drafts/draft-ivancic-layer3-encryptors-00.txt


Abstract

This document describes some issues related to performing encryption at 
layer-3. In particular, routing protocol problems may result if the 
time-to-live (TTL) field in IPv4 or the Hop Limit field in IPv6 is 
decremented once before encapsulation [1][2]. Also, special provisions may 
be necessary within the encryptor devices if broadcast messages are to 
transition the encryptor pairs. Maximum Transmission Unit (MTU) issues are 
also presented.


Will Ivancic