[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPv6 RH (was Re: SPD issues)

To: Tero Kivinen <kivinen@ssh.fi>
Subject: IPv6 RH (was Re: SPD issues)
From: Eric Vyncke <evyncke@cisco.com>
Date: Thu, 23 Oct 2003 17:09:57 +0200
Cc: Markku Savela <msa@burp.tkv.asdf.org>, kent@bbn.com, ipsec@lists.tislabs.com
In-Reply-To: <16279.55527.424820.593494@ryijy.hel.fi.ssh.com>
References: <200310221213.h9MCDTwu010141@burp.tkv.asdf.org><5.2.0.9.0.20031020142118.020310d8@email><5.2.0.9.0.20031014234014.0214b190@localhost><5.2.0.9.0.20031021001505.02134aa0@localhost><3F956643.8030701@isi.edu><p06002014bbbb176bfbe9@[128.89.89.40]><3F956A72.5090603@isi.edu><p06002016bbbb1d976e2d@[128.89.89.40]><16278.16813.152210.575490@ryijy.hel.fi.ssh.com><200310221213.h9MCDTwu010141@burp.tkv.asdf.org>
Sender: owner-ipsec@lists.tislabs.com

At 16:34 23/10/2003 +0300, Tero Kivinen wrote:
>Markku Savela writes:
>> For me, it is the next hop destination. Note, however that if SG is
>> also a router, there will be two cases for incoming packet with
>> routing header:
>> a) ip dst = routers own address => process routing header, IPSEC will
>> apply to next hop. (which may be the router itself again). 
>> b) ip dst != routers own address, routing header is NOT processed,
>> next hop is searched based on the ip dst address. Again, IPSEC apply
>> to next hop.
>> This is as it should be. Do not mess with it!
>
>That interpretation is fine as long as there is nothing that looks
>like firewall there. In the IPsec there are drop rules so it have a
>minimal firewall inside of the IPsec implementation. Using the routing
>header allows users to bypass the restrictions created by the
>adminstrator.

Tero,

I tend to agree with your interpretation, the decision should be based on the final destination and not on the next hop. This is clear for the bypass/drop 'firewall' SPD entry.

AFAIK with the existing IPv4 implementations, the source routing option has been ignored by IPSec (it looked only to the IP destination address).

Of course, IPv6 is much more complex; specifically since Mobile IPv6 is also using RH. And, there you probably want to make your decision on the next hop... Contracdicting my first paragraph ;-)

Perhaps, the decision should be made if either the destination IP or any RH next-hop IP are matching the selector?

-eric

Follow-Ups:
- Re: IPv6 RH (was Re: SPD issues)
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: SPD issues
  - From: Markku Savela <msa@burp.tkv.asdf.org>
- RE: SPD issues
  - From: Mark Duffy <mduffy@quarrytech.com>
- Re: SPD issues
  - From: Mark Duffy <mduffy@quarrytech.com>
- Re: SPD issues
  - From: Mark Duffy <mduffy@quarrytech.com>
- Re: SPD issues
  - From: Joe Touch <touch@ISI.EDU>
- Re: SPD issues
  - From: Stephen Kent <kent@bbn.com>
- Re: SPD issues
  - From: Joe Touch <touch@ISI.EDU>
- Re: SPD issues
  - From: Stephen Kent <kent@bbn.com>
- Re: SPD issues
  - From: Tero Kivinen <kivinen@ssh.fi>
- Re: SPD issues
  - From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: Re: 2401bis Issue # 90 -- Remove the selector "data sensitivity level"
Next by Date: Re: 2401bis Issue # 89 -- Remove the selector "name"
Prev by thread: Re: SPD issues
Next by thread: Re: IPv6 RH (was Re: SPD issues)
Index(es):
- Date
- Thread