[Hipsec] To tunnel or not
Robert Moskowitz <rgm@htt-consult.com> Wed, 19 August 2009 22:30 UTC
Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1AA1C3A6B6E for <hipsec@core3.amsl.com>; Wed, 19 Aug 2009 15:30:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.493
X-Spam-Level:
X-Spam-Status: No, score=-2.493 tagged_above=-999 required=5 tests=[AWL=0.106, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LFQZvujNGkK6 for <hipsec@core3.amsl.com>; Wed, 19 Aug 2009 15:30:44 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [208.83.67.147]) by core3.amsl.com (Postfix) with ESMTP id AD04F3A69DE for <hipsec@ietf.org>; Wed, 19 Aug 2009 15:30:44 -0700 (PDT)
Received: from z9m9z.htt-consult.com (localhost.localdomain [127.0.0.1]) by z9m9z.htt-consult.com (8.13.8/8.13.8) with ESMTP id n7JMUhXE028473 for <hipsec@ietf.org>; Wed, 19 Aug 2009 18:30:43 -0400
Received: from nc2400.htt-consult.com (onlo.htt-consult.com [208.83.67.148]) by z9m9z.htt-consult.com (Scalix SMTP Relay 11.3.0.11339) via ESMTP; Wed, 19 Aug 2009 18:30:40 -0400 (EDT)
Date: Wed, 19 Aug 2009 18:30:37 -0400
From: Robert Moskowitz <rgm@htt-consult.com>
To: hipsec@ietf.org
Message-ID: <4A8C7D0D.7010708@htt-consult.com>
x-scalix-Hops: 1
User-Agent: Thunderbird 2.0.0.22 (X11/20090625)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Disposition: inline
Subject: [Hipsec] To tunnel or not
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Aug 2009 22:30:46 -0000
ESP Transport in a bound, end-to-end operation or ESP Tunnel with HITS (or LSI?) explicit. Developers have reported challenges in using what we have been calling BEET mode, and have pointed out that if explicit tunnels were used, then the special HIP "optimization" (? right word) of Transport mode would be avoided. I have at least two technical problems with use of tunnel mode: What is enumerated in the tunnel? HITs always or HITs for IPv6 apps and LSIs for IPv4? (as we have demonstarted that IPv4 apps work well over HIP over IPv6). If HITs how will this work for IPv4? I suspect that someone can explain how this could 'work'? Would there be expectations on tunnel behaviour that would have to be negotiated? My basic philosophy was ESP transport was used as a 'short hand' for the HIP connection between two hosts. That HIP is not a key negotiation for ESP, but that ESP is used operationally to simplify HIP (not to develop YAP) with SPIs being pointers to the underlying HITs (did I remember that right? :) ). I can see where the process between two hosts is a tunneling process and in that HIP is used to secure the tunnel, but here the tunnel is not coupled to HIP but rather the process between two hosts that uses HIP. Does that make enough sense? These are reasonable questions that have been asked of me over the past year, and I would like to get some other's views.
- [Hipsec] To tunnel or not Robert Moskowitz
- Re: [Hipsec] To tunnel or not Laganier, Julien
- Re: [Hipsec] To tunnel or not Miika Komu