Re: [MEXT] FW: New Version Notification for draft-bajko-mext-sod-02.txt

[Julien Laganier <julien.ietf@gmail.com>]

Following-up on one of the points:

>>> 2. Use of IKEv2/RFC 4877
>>>
>>> If the MN is in a location where it decides to enable security protection
>>> for the data traffic, it can certainly establish an IPsec SA for the
>>> tunnel
>>> mode ESP. Wondering, if this needs to be achieved over a MIP control plane
>>> and the advantages with that approach ? Even if this needs to be
>>> determined
>>> after the MIP session set up, still there needs to be IKEv2 protocol
>>> exchange for creating the SA ? Nothing stops either the HA or the MN to
>>> create an SA for the tunnel mode ESP.
>>
>> I guess you are missing the point. An MN may create an IPsec SA for the
>> data plane as well using IKEv2. But it is not required that traffic
>> actually flow via this SA. MIP6 does not have a policy or mechanism as to
>> when security for the data plane is applied. This I-D is addressing the
>> issue by providing a means by which security for traffic can be switched
>> on. An MN may create an Ipsec SA at the time of registration for the data
>> plane as well but it is not required that traffic be secured with that SA.
>> but it is not required that traffic be secured with that SA.

an SA for data traffic wouldn' t be created if the SPD doesn' t
require data traffic to be protected by an SA...

> I understood the principle of moving this nego (enable/disable to MIP
> control plane. But, I did not understand the last line. If there is SA for
> tunnel mode ESP, can the HA not drop the traffic not protected with the
> negotiated IPsec SA ?

As above, the SA wouldn' t be created if SPD doesn' t required data
traffic protection. If SPD requires data traffic protection, an SA
will be created.

--julien