[Mip6] Reg. IPsec configuration for Payloads in TAHI testsuite
"O.L.N.Rao" <olnrao@samsung.com> Fri, 30 January 2004 05:39 UTC
Received: from optimus.ietf.org ([132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA13835 for <mip6-archive@odin.ietf.org>; Fri, 30 Jan 2004 00:39:25 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AmRMn-0002bf-QX for mip6-archive@odin.ietf.org; Fri, 30 Jan 2004 00:38:58 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i0U5cvc6010013 for mip6-archive@odin.ietf.org; Fri, 30 Jan 2004 00:38:57 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AmRMn-0002bQ-L6 for mip6-web-archive@optimus.ietf.org; Fri, 30 Jan 2004 00:38:57 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA13789 for <mip6-web-archive@ietf.org>; Fri, 30 Jan 2004 00:38:53 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AmRMk-00074X-00 for mip6-web-archive@ietf.org; Fri, 30 Jan 2004 00:38:54 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AmRLr-0006xh-00 for mip6-web-archive@ietf.org; Fri, 30 Jan 2004 00:38:00 -0500
Received: from [132.151.1.19] (helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1AmRKu-0006pz-00 for mip6-web-archive@ietf.org; Fri, 30 Jan 2004 00:37:00 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AmRKv-0002Eq-Jo; Fri, 30 Jan 2004 00:37:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AmRKp-0002EE-AB for mip6@optimus.ietf.org; Fri, 30 Jan 2004 00:36:55 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA13731 for <mip6@ietf.org>; Fri, 30 Jan 2004 00:36:51 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AmRKm-0006ow-00 for mip6@ietf.org; Fri, 30 Jan 2004 00:36:52 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AmRJp-0006im-00 for mip6@ietf.org; Fri, 30 Jan 2004 00:35:54 -0500
Received: from mailout1.samsung.com ([203.254.224.24]) by ietf-mx with esmtp (Exim 4.12) id 1AmRJX-0006cl-00 for mip6@ietf.org; Fri, 30 Jan 2004 00:35:35 -0500
Received: from custom-daemon.mailout1.samsung.com by mailout1.samsung.com (iPlanet Messaging Server 5.2 HotFix 1.17 (built Jun 23 2003)) id <0HSA00001FIH6T@mailout1.samsung.com> for mip6@ietf.org; Fri, 30 Jan 2004 14:35:05 +0900 (KST)
Received: from ep_mmp1 (mailout1.samsung.com [203.254.224.24]) by mailout1.samsung.com (iPlanet Messaging Server 5.2 HotFix 1.17 (built Jun 23 2003)) with ESMTP id <0HSA00JEEFIG4J@mailout1.samsung.com> for mip6@ietf.org; Fri, 30 Jan 2004 14:35:05 +0900 (KST)
Received: from OLNRAO ([107.108.71.122]) by mmp1.samsung.com (iPlanet Messaging Server 5.2 HotFix 1.17 (built Jun 23 2003)) with ESMTPA id <0HSA00EVBFICTD@mmp1.samsung.com> for mip6@ietf.org; Fri, 30 Jan 2004 14:35:04 +0900 (KST)
Date: Fri, 30 Jan 2004 11:02:12 +0530
From: "O.L.N.Rao" <olnrao@samsung.com>
To: mip6@ietf.org
Message-id: <015e01c3e6f2$6bd3c2a0$7a476c6b@sisodomain.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
Content-type: multipart/alternative; boundary="Boundary_(ID_ZBgGPJ1Ry0yqrbsZyhdBcw)"
X-Priority: 3
X-MSMail-priority: Normal
Subject: [Mip6] Reg. IPsec configuration for Payloads in TAHI testsuite
Sender: mip6-admin@ietf.org
Errors-To: mip6-admin@ietf.org
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Id: <mip6.ietf.org>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.6 required=5.0 tests=AWL,HTML_30_40,HTML_MESSAGE autolearn=no version=2.60
Hello,
Your TAHI MIPv6 CT suit is really very much helpful
to carefully understand each and every line (even word)
of Draft-24.
I am currently working with 2.0.5 release. In which
there is a IPsec configuration for Payload packets to & from MN.
When enabled IPSEC_* to YES:
TN sends Echo Request with ESP applied twice once in each mode.
First in Transport Mode with SPI 2009. Then with Tunnel Mode with
SPI 2007.
When NUT receives this packet, it could find 2007 SPI in its Policy DB
and could decrypt and decapsulate. However, when trying to find
the policy for SPI 2009, it fails. Because, currently our IPsec
can not be applied differently for each ICMPv6 message type. We can
only apply per protocol basis. So, what ever is configured for Prefix Discovery
automatically covers all the ICMPv6 packets. Becuase SPDs
are ordered, the Payload polilcy configuration is applicable only to
non-MIPv6 and non-ICMPv6 packets. Also, in the configuration for MN
is with spi_e is not clear to me. It has two values ??
Let me know whether my understanding is correct, (that is Policy given is per
ICMPv6 message type. And, MPS & MPA need one policy and all others need
another policy).
Following snip is from the draft : draft-ietf-mobileip-mipv6-ha-ipsec-06.txt
5.2.3 Prefix Discovery
In the following we describe some additional SPD and SAD entries to
protect prefix discovery. Note that the SPDs described above protect
all ICMPv6 traffic between the mobile node and the home agent, as
IPsec may not have the ability to distinguish between different
ICMPv6 types.
This is true with our IPsec implementaion. Also to note, payload protection is
MAY in the draft. Where as all others are MUST + SHOULD combination.
I tried to make IPSEC_PAYLOAD* NO and run the script. Then, TN sends
Echo Request in plain text (not applied with any IPsec policy). But as per
the order of poicies, it SHOULD have been applied with Prefix Discovery policy
as it covers all ICMPv6 packets (Again this statement is only applicable if
your TAHI ipsec scripts work per protocol basis, and not per icmp message type).
Your clarification in this regard is very much helpful for us to proceed.
Thanks in advance.
Regards,
O.L.N.Rao