[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 RH (was Re: SPD issues)



At 17:09 +0200 10/23/03, Eric Vyncke wrote:
>At 16:34 23/10/2003 +0300, Tero Kivinen wrote:
>>Markku Savela writes:
>>>  For me, it is the next hop destination. Note, however that if SG is
>>>  also a router, there will be two cases for incoming packet with
>>>  routing header:
>>>  a) ip dst = routers own address => process routing header, IPSEC will
>>>  apply to next hop. (which may be the router itself again).
>>>  b) ip dst != routers own address, routing header is NOT processed,
>>>  next hop is searched based on the ip dst address. Again, IPSEC apply
>>>  to next hop.
>>>  This is as it should be. Do not mess with it!
>>
>>That interpretation is fine as long as there is nothing that looks
>>like firewall there. In the IPsec there are drop rules so it have a
>>minimal firewall inside of the IPsec implementation. Using the routing
>>header allows users to bypass the restrictions created by the
>>adminstrator.
>
>Tero,
>
>I tend to agree with your interpretation, the decision should be 
>based on the final destination and not on the next hop. This is 
>clear for the bypass/drop 'firewall' SPD entry.
>
>AFAIK with the existing IPv4 implementations, the source routing 
>option has been ignored by IPSec (it looked only to the IP 
>destination address).
>
>Of course, IPv6 is much more complex; specifically since Mobile IPv6 
>is also using RH. And, there you probably want to make your decision 
>on the next hop... Contracdicting my first paragraph ;-)
>
>Perhaps, the decision should be made if either the destination IP or 
>any RH next-hop IP are matching the selector?


We did overlook this in 2401, and we ought to be more precise in 2401bis.

The IPv6 destination is what I expect folks would use for selector 
checking, for both outbound and inbound traffic.

We might add a flag that explicitly disallows traffic with routing 
headers, as a local admin control for SPD entries.  In the IPv4 case, 
we could to do the same  re the source route option.

What do folks think?

Steve