[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv6 RH (was Re: SPD issues)
At 17:09 +0200 10/23/03, Eric Vyncke wrote:
>At 16:34 23/10/2003 +0300, Tero Kivinen wrote:
>>Markku Savela writes:
>>> For me, it is the next hop destination. Note, however that if SG is
>>> also a router, there will be two cases for incoming packet with
>>> routing header:
>>> a) ip dst = routers own address => process routing header, IPSEC will
>>> apply to next hop. (which may be the router itself again).
>>> b) ip dst != routers own address, routing header is NOT processed,
>>> next hop is searched based on the ip dst address. Again, IPSEC apply
>>> to next hop.
>>> This is as it should be. Do not mess with it!
>>
>>That interpretation is fine as long as there is nothing that looks
>>like firewall there. In the IPsec there are drop rules so it have a
>>minimal firewall inside of the IPsec implementation. Using the routing
>>header allows users to bypass the restrictions created by the
>>adminstrator.
>
>Tero,
>
>I tend to agree with your interpretation, the decision should be
>based on the final destination and not on the next hop. This is
>clear for the bypass/drop 'firewall' SPD entry.
>
>AFAIK with the existing IPv4 implementations, the source routing
>option has been ignored by IPSec (it looked only to the IP
>destination address).
>
>Of course, IPv6 is much more complex; specifically since Mobile IPv6
>is also using RH. And, there you probably want to make your decision
>on the next hop... Contracdicting my first paragraph ;-)
>
>Perhaps, the decision should be made if either the destination IP or
>any RH next-hop IP are matching the selector?
We did overlook this in 2401, and we ought to be more precise in 2401bis.
The IPv6 destination is what I expect folks would use for selector
checking, for both outbound and inbound traffic.
We might add a flag that explicitly disallows traffic with routing
headers, as a local admin control for SPD entries. In the IPv4 case,
we could to do the same re the source route option.
What do folks think?
Steve