Re: IPsec and Mobile IPv6
Jari Arkko <jari.arkko@piuha.net> Thu, 18 July 2002 19:13 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g6IJDIw21128; Thu, 18 Jul 2002 12:13:18 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA25424 Thu, 18 Jul 2002 14:23:22 -0400 (EDT)
Message-ID: <3D35066C.4060900@piuha.net>
Date: Wed, 17 Jul 2002 08:53:48 +0300
From: Jari Arkko <jari.arkko@piuha.net>
Reply-To: jari.arkko@piuha.net
Organization: None
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5) Gecko/20011014
X-Accept-Language: en-us
MIME-Version: 1.0
To: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Cc: ipsec@lists.tislabs.com, "'mobile-ip@sunroof.eng.sun.com'" <mobile-ip@sunroof.eng.sun.com>
Subject: Re: IPsec and Mobile IPv6
References: <200207082320.g68NKZGF039788@givry.rennes.enst-bretagne.fr>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=-1.2 required=5.0 tests=GAPPY_TEXT version=2.20
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Hi Francis,
> The second version of my draft about IPsec and Mobile IPv6 is
> available (name : draft-dupont-ipsec-mipv6-01.txt).
(Sorry for the crosspost -- perhaps replies can go to the mobile ip
list only.)
Your draft looks like a very useful analysis of various cases
regarding mobility and IPsec. But I still lack some practical
background information so that this work could be taken in account
in the relevant protocol descriptions. In particular, could you
classify your recommendations as
1) Those that restate something which already is in the
current protocol specifications (but perhaps not stated
clearly enough).
2) Those which fix something that would break MIPv6
security. Draft draft-ietf-mobileip-ipv6-18.txt uses IPsec
for a part of its security, namely for the HA - MN signaling.
A more detailed description including SPD entries can be
found from http://www.piuha.net/~jarkko/publications/mipv6/ipsec_usage.txt
3) Those which fix something that would break IPsec
when used for protecting regular payload traffic
in the presense of MIPv6.
4) Those that make IPsec work smoother, more efficiently, or
with less configuration when used together with mobility
or for the protection of mobility signaling.
5) Architectural long-term recommendations.
6) Something completely different.
In particular class 2 is interesting for completing the MIPv6 work,
as is class 3. From my initial understanding, your recommendations
can be classified as follows:
1) A, C1, C2, E1, E2, E3, G, H, I, K, M, O, Q
2) P [makes use of IKE for HA-MN security hard -- this is
very interesting, thanks!]
3) nothing?
4) B, F [and I think we were disagreeing on the mip list whether
these two are good goals], L1, L2, R
5) nothing?
6) D [of course!], J
unclear: N
Is this correct? How do we go about fixing P, is your recommendation
the only way to handle that? Is there anything in the MIPv6 documents
that you'd like to clarify in class 1?
Jari
- IPsec and Mobile IPv6 Francis Dupont
- Re: IPsec and Mobile IPv6 Jari Arkko
- Re: IPsec and Mobile IPv6 Francis Dupont
- Re: IPsec and Mobile IPv6 Michael Richardson
- Re: IPsec and Mobile IPv6 Francis Dupont
- Re: IPsec and Mobile IPv6 Melinda Shore
- Re: IPsec and Mobile IPv6 Jari Arkko
- Re: IPsec and Mobile IPv6 Francis Dupont