[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] Public IP address & IP mobility



Hi  Rajeev,
    
     By maintaining constant internal IP address (Typically private IP address, assigned by
     the gateway) in tunnel mode, it is possible to have same  IPSec SA, even if the IP  
     address
of client changes, when it moves from one AP (Or AC) to another AP (Or AC).
 
     Following methods are followed:
     1. Client noticing that its interface IP address is changed and deleting and reestablishing
         both IPSec and IKE SAs. Yet times, this is not good enough and may not would like
         to 
 have delay in sending the packets.
     2. Client changes the IP address of SAs (inbound and outbound) to new IP address.
         Server (Gateway) noticing the source  IP address change in the data packets and if
         the data packet 
is successfully decrypted/authenticated, changes the IP address in
         corresponding outbound
SA (Note that, typically inbound SA is selected based on
         DIP, SPI, Protocol).
 
     To address above and even more generic problems, MOBIKE group is formed in IETF
     and would be
addressing these kind of problems.
 
Srini
 
 
----- Original Message -----
From: Rajeev Gupta
To: ipsec@ietf.org
Sent: Sunday, August 22, 2004 8:37 PM
Subject: [Ipsec] Public IP address & IP mobility

Would appreciate if someone can reply to these 2 questions relating to IKEv2:

 

(the tunnel initiator is referred to as “client” and the tunnel terminator is the “gateway”)

 

-          is it possible for the client to learn its public IP address as seen by the gateway? The current NAT detection mechanism in IKEv2 only provides to the client the hash of its public IP address as seen by the gateway – why not the actual IP address itself?

 

-          Is it possible for the client to maintain the IPSec tunnel with the gateway, if it changes its source IP address? This could happen if the client moves across subnets in a wireless network. Is there any specified mechanism to use Mobile IP with IPSec?

 

 

 

Thanks.

 

Rajeev Gupta

 


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec