[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] Public IP address & IP mobility

To: Rajeev Gupta <rgupta@kinetowireless.com>
Subject: Re: [Ipsec] Public IP address & IP mobility
From: Jari Arkko <jari.arkko@kolumbus.fi>
Date: Mon, 23 Aug 2004 13:20:21 +0300
Cc: ipsec@ietf.org
In-reply-to: <2EEAE99C5AA0B14BB6A0BBB4ABF8D1E1909531@blunote.bluzona.com>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <2EEAE99C5AA0B14BB6A0BBB4ABF8D1E1909531@blunote.bluzona.com>
Sender: ipsec-bounces@ietf.org
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040316


Hi Rajeev,

Here's a few responses to your questions:

(a) My understanding is that the NAT-T functionality does indeed not
     allow you to discover your public IP address. (But where
     do you need that info? There may be other IETF protocols that
     can do this discovery for you if you really need it. For mobility
     you don't necessarily need it.)

(b) If you have IKEv2 and NAT-T, the client can actually move
     around, as NAT-T learns the new client address and can change
     that dynamically.

(c) MOBIKE WG is looking into a protocol extension to IKEv2 that
     would enable client address changes even when you are not using
     a NAT, enables multiple simultaneous addresses (multihoming),
     security against spoofed new addresses, etc.

(d) Mobile IP can also work together with IPsec, with the introduction
     of a server called the home agent in the network. See RFC 3775
     for details of the IPv6 case.

Hope this helps,

Jari

Rajeev Gupta wrote:
> Would appreciate if someone can reply to these 2 questions relating to 
> IKEv2:
> 
>  
> 
> (the tunnel initiator is referred to as “client” and the tunnel 
> terminator is the “gateway”)
> 
>  
> 
> -          is it possible for the client to learn its public IP address 
> as seen by the gateway? The current NAT detection mechanism in IKEv2 
> only provides to the client the hash of its public IP address as seen by 
> the gateway – why not the actual IP address itself?
> 
>  
> 
> -          Is it possible for the client to maintain the IPSec tunnel 
> with the gateway, if it changes its source IP address? This could happen 
> if the client moves across subnets in a wireless network. Is there any 
> specified mechanism to use Mobile IP with IPSec?
> 
>  
> 
> Thanks.
> 
>  
> 
> */Rajeev Gupta/**//*
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Ipsec mailing list
> Ipsec@ietf.org
> https://www1.ietf.org/mailman/listinfo/ipsec


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- [Ipsec] Public IP address & IP mobility
  - From: "Rajeev Gupta" <rgupta@kinetowireless.com>

Prev by Date: Re: [Ipsec] Number of Proposals in IKE_SA_INIT exchange for IKE_SA andfirst CHILD_SA ??
Next by Date: Re: [Ipsec] Public IP address & IP mobility
Previous by thread: Re: [Ipsec] Public IP address & IP mobility
Next by thread: Re: [Ipsec] Public IP address & IP mobility
Index(es):
- Date
- Thread