[Gen-art] Re: Gen-ART review of draft-ietf-v6ops-ipsec-tunnels-04.txt
Fred Baker <fred@cisco.com> Wed, 13 December 2006 00:33 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GuI3V-0007Dg-0x; Tue, 12 Dec 2006 19:33:05 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GuI3T-0007DO-Mx for gen-art@ietf.org; Tue, 12 Dec 2006 19:33:03 -0500
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GuI3S-0005bN-7l for gen-art@ietf.org; Tue, 12 Dec 2006 19:33:03 -0500
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-5.cisco.com with ESMTP; 12 Dec 2006 16:33:01 -0800
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id kBD0X1JG017425; Tue, 12 Dec 2006 16:33:01 -0800
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id kBD0X0io004074; Tue, 12 Dec 2006 16:33:01 -0800 (PST)
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 12 Dec 2006 16:33:00 -0800
Received: from [10.32.244.219] ([10.32.244.219]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 12 Dec 2006 16:32:59 -0800
In-Reply-To: <20061212225125.68694.qmail@web80613.mail.yahoo.com>
References: <20061212225125.68694.qmail@web80613.mail.yahoo.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <D2EAA008-8F08-4EAC-8572-E81D12FD844F@cisco.com>
Content-Transfer-Encoding: 7bit
From: Fred Baker <fred@cisco.com>
Date: Tue, 12 Dec 2006 16:32:59 -0800
To: Mohan Parthasarathy <mohanp@sbcglobal.net>, David Black <Black_David@emc.com>
X-Mailer: Apple Mail (2.752.3)
X-OriginalArrivalTime: 13 Dec 2006 00:33:00.0025 (UTC) FILETIME=[3E069690:01C71E4E]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=3692; t=1165969981; x=1166833981; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fred@cisco.com; z=From:=20Fred=20Baker=20<fred@cisco.com> |Subject:=20Re=3A=20Gen-ART=20review=20of=20draft-ietf-v6ops-ipsec-tunnel s-04.txt |Sender:=20; bh=kwHGcdfsTDdDtgoKZtvdlT8V+yJCbhb5pyZiWrlq40w=; b=fD/OtoANXpCzHXxFeVGs7O0tyLQ6frslXHyZXUK3VEwMQgaSSueOQF8ap7WahXzpIMIFU8V8 f0WCqvp/PfxL68to7/SXVc/9CVcrmp5UJqQX0GvxVQgaqJBVaIqw7u85;
Authentication-Results: sj-dkim-3; header.From=fred@cisco.com; dkim=pass (si g from cisco.com/sjdkim3002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 244a2fd369eaf00ce6820a760a3de2e8
Cc: David Kessens <david.kessens@nokia.com>, Hannes.Tschofenig@siemens.com, gen-art@ietf.org, Lindqvist Erik Kurt <kurtis@kurtis.pp.se>, rfg@acm.org, Pekka Savola <psavola@funet.fi>
Subject: [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-ipsec-tunnels-04.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Errors-To: gen-art-bounces@ietf.org
On Dec 12, 2006, at 2:51 PM, Mohan Parthasarathy wrote: > In some implementations e.g., linux, to protect the traffic using > IPsec tunnel mode SA, traffic matching the selectors is given to > IPsec for protecting the traffic. IPsec is just another software > module that is neither visible as an interface nor in the routing > tables. By this it means that IPsec is not modeled as an interface > at all. On Dec 12, 2006, at 3:38 PM, Black_David@emc.com wrote: > Let's start with a router. In order for a router to forward an > IPv6 packet, it has to send it through an IPv6 interface, hence, > somewhere between where the forwarding table is consulted and where > the packet hits the wire, there is an "IPv6 interface". I think you guys are looking at two sides of one coin. IPSEC maintains its security association between a source and a destination IP address. As such, while one wants to call IPSEC before handing the datagram to IP (whether v4 or v6), in doing so one must predetermine which IP address will be used, which potentially implies which interface the datagram will be sent from. This would be consistent with RFC 1122's statement on page 62: (B) A host MAY restrict itself to sending (non-source- routed) IP datagrams only through the physical interface that corresponds to the IP source address of the datagrams. Ideally, that means that first IPv6 has to decide which interface is used by the route to the destination as a next hop interface, select the source address from the interface, let IPSEC sign or encrypt the message, add the IPv6 header, and then hand the datagram to the device driver. In a purely layered sense, that is borderline bizarre. So what I understand existing implementations to do is select an IP address a priori (there often is only one interface, so selecting the most global address available is an algorithm that always works), do the IPSEC part, do the IPv6 part, and let IPv6 hand the thing to a device driver. That's what Mohan is describing. In a router, where IPSEC is usually in tunnel mode and one interface is as good as another, the need for IPSEC use and the set of security associations used on a given interface (eg, from that interface's address) is an attribute used in forwarding the IP datagram. At the point where IP is about to copy the link layer header onto the head of the datagram, it asks what kind of link layer is in use. One kind of "link layer" requires the addition of an IPSEC header, another IP header, and a link layer header. That's what David is describing. Mohan, any time a system, host or router, sends a datagram, it has to account for having done so using the RFC 2863 Interface MIB, it has to determine whether the ability to send datagrams is currently administratively enabled. It derives ifIndex from the route entry (see InetCidrRouteEntry in RFC 4292) that it uses to forward the datagram, or from the IpDefaultRouterEntry described in RFC 4293. This table is "the interface" from a management and configuration perspective, and is found near whatever the software is dealing with internally. This is what David is asking about. Trust me, at least from the perspective of a network management model, anywhere an IP datagram potentially leaves the box there is an IPv6 interface. Internally, it's what tells you that "on this device, when you send an IPv6 datagram to a given immediate neighbor, whether router or host, you call <this> driver and do <this> with the datagram". _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www1.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Gen-ART review of draft-ietf-v6ops-ipse… Black_David
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Fred Baker
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Pekka Savola
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Mohan Parthasarathy
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Mohan Parthasarathy
- [Gen-art] RE: Gen-ART review of draft-ietf-v6ops-… Black_David
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Fred Baker
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Mohan Parthasarathy
- [Gen-art] RE: Gen-ART review of draft-ietf-v6ops-… Black_David
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Pekka Savola
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Mohan Parthasarathy
- RE: [Gen-art] Re: Gen-ART review ofdraft-ietf-v6o… Black_David