Re: [Hipsec] ESP in clientVPN tunnel mode - what is needed in exchange
Robert Moskowitz <rgm@htt-consult.com> Mon, 19 May 2014 18:14 UTC
Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDF331A01C7 for <hipsec@ietfa.amsl.com>; Mon, 19 May 2014 11:14:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ih4EUwbaopTr for <hipsec@ietfa.amsl.com>; Mon, 19 May 2014 11:14:33 -0700 (PDT)
Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id 5866F1A01C5 for <hipsec@ietf.org>; Mon, 19 May 2014 11:14:33 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 180D862A91 for <hipsec@ietf.org>; Mon, 19 May 2014 18:14:33 +0000 (UTC)
X-Virus-Scanned: amavisd-new at localhost
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DUbU1WryCTxf for <hipsec@ietf.org>; Mon, 19 May 2014 14:14:12 -0400 (EDT)
Received: from lx120e.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 38E5562AE1 for <hipsec@ietf.org>; Mon, 19 May 2014 14:14:12 -0400 (EDT)
Message-ID: <537A49F3.5050606@htt-consult.com>
Date: Mon, 19 May 2014 14:14:11 -0400
From: Robert Moskowitz <rgm@htt-consult.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: hip WG <hipsec@ietf.org>
References: <537A48B6.9030202@htt-consult.com>
In-Reply-To: <537A48B6.9030202@htt-consult.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/QR25cXF5lgYB9R7w0liKSTFBEzE
Subject: Re: [Hipsec] ESP in clientVPN tunnel mode - what is needed in exchange
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 May 2014 18:14:34 -0000
More thoughts. 2 reserved bits can be used: 1 bit to indicate tunnel rather than transport 1 bit to indicate IPv4 or IPv6 tunnel addressing Initially use the HIT/LSI to carry DHCP/RA packets through tunnel? Though LSI is a bit messy. Though again, others more familiar with this part may tell me how easy this is to handle. On 05/19/2014 02:08 PM, Robert Moskowitz wrote: > I have a real need to provide ESP tunnel mode from a HIP client to a > gateway. The world just won't go as nicely as I would have wanted it to. > > In the HIPL manual, there is an example of running OpenVPN within the > BEET ESP connection, but I don't think that ends up with the same as > ESP tunnel mode. > > So what would be needed. Simply a indicator that tunnel mode is in > use, the run DHCP (or RA) through the tunnel? Actually send addressing > information as HIP parameters? > > You don't want to use HITs in RFC4303 tunnel mode as is described in > 5202-bis. You can use the initator's (client) HIT, but then you would > still need to map it on the gateway side. > > Probably have to go look at what ESP does for tunnel support :)' but > comments are welcome. > > The tunnel needs act differently than 'classic ESP tunnel' so that HIP > mobility is maintained. > > I suspect that others have given this more thought in actually > implementing it, so please direct me to any papers on this. > > THanks > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec >
- [Hipsec] ESP in clientVPN tunnel mode - what is n… Robert Moskowitz
- Re: [Hipsec] ESP in clientVPN tunnel mode - what … Robert Moskowitz
- Re: [Hipsec] ESP in clientVPN tunnel mode - what … Miika Komu
- Re: [Hipsec] ESP in clientVPN tunnel mode - what … Robert Moskowitz
- Re: [Hipsec] ESP in clientVPN tunnel mode - what … Robert Moskowitz
- Re: [Hipsec] ESP in clientVPN tunnel mode - what … Robert Moskowitz
- [Hipsec] Just use 5203 registration - Re: ESP in … Robert Moskowitz