Re: Inbound packet processing- mobile host problem

[Pyda Srisuresh <srisuresh@yahoo.com>]

--- Stephen Kent <kent@bbn.com> wrote:
> At 8:05 PM +0530 3/31/00, Venkatesh N wrote:
> >Hi all
> >I have the following doubts regarding the IPSEC
> >
> >(1)	According to the RFC, for the inbound packets, the SA (tunnel 
> >mode) is retrieved based on the
> >
> >             --The Destination IP address of the Outer IP header
> >             --SPI
> >             --IPsec protocol
> >
> >     (a)Does this mean that the security gateway can allot the same 
> >SPI value for the different IP addresses (supposing It has
> >     more than one IP addresses)?
> 
> Yes.
> 
> >(2) In the case of a mobile host contacting the home security 
> >gateway after dialing to a local PPP
> >server  on the Internet and then crossing the Internet to the home 
> >organization's firewall , then is there any automated way
> >for the discovery/verification of the security gateway/mobile host??
> 
> There is no automated security gateway discovery protocol today.
> 

Well, a good way to do this would be to make PPP server the Security
gateway. By doing this, you have added benefits of being able to
monitor IPsec SA status and scale to a large number of user security
profiles. Take a look at <draft-ietf-pppext-secure-ra-00.txt>
 
> Steve
> 
> 

cheers,
suresh

__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com