[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec Issue Discussed for Shim6 at IETF Meeting July 10, 2006

To: "Bound, Jim" <Jim.Bound@hp.com>
Subject: Re: IPsec Issue Discussed for Shim6 at IETF Meeting July 10, 2006
From: Brian E Carpenter <brc@zurich.ibm.com>
Date: Tue, 18 Jul 2006 13:24:19 +0200
Cc: shim6@psg.com
In-reply-to: <816DD9299957E547B5D758D7F977D6DC2EF649@tayexc14.americas.cpqcorp.net>
Organization: IBM
References: <816DD9299957E547B5D758D7F977D6DC2EF649@tayexc14.americas.cpqcorp.net>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

Sure, in my shim6 world the ULID is an initially valid locator.
Of course, it may become invalid dynamically during the course
of a session, but that will not invalidate the SA as far as
I can see.

   Brian

Bound, Jim wrote:

Brian, you have missed the point and I will have to respond more later.
This was discused in the WG meeting.  SAs must coorespond to loactors
and if those are ULIDs fine,  but if not there is an IPsec architecture
problem here. Your comment on how IP works is not how practice or
implementations work but only in IETF marketing powerpoint charts.
Best,
/jim
-----Original Message-----
From: Brian E Carpenter [mailto:brc@zurich.ibm.com]Sent: Saturday, July 15, 2006 10:02 PM
To: Bound, Jim
Cc: shim6@psg.com
Subject: Re: IPsec Issue Discussed for Shim6 at IETF MeetingJuly 10, 2006
Jim, I don't understand your architectural issue here. IPSecis very much an end-to-end protocol so relies on an e2eidentifier (which is why we have to fiddle around to getIPSec through NAT). It isn't required that all packetsbelonging to a given SA travel the same path, because IPdoesn't have that property anyway. So none of myarchitectural alarms go off here. (I'd certainly have noproblem with the chairs asking for an early Security Areareview, however.)
The shim is clearly placed below IPSec in the stack. That wasdocumented in draft-ietf-shim6-l3shim. Is that draft dead?
    Brian

Bound, Jim wrote:
Per the Chairs to WG,
Currently for Shim6 the ULIDs are used to encrypt and decrypt theShim6 packet per discussions on this with the authors for
IPsec. This
is done and possible because there is a context associated with thelocator pair from out-of-bound message exchange at each end
point to
identify the ULIDs for location pair association. This means thelocator pair in the IP header are not used for IPsec encyrpt anddecrypt as is done today according to IPsec.
This is using out-of-bound signals to set up IPsec and wasspecifically rejected as a method for IPsec when defining the IPsecarchitecture back in 1995 at IETF Danvers meeting. In addition thistype of use of IPsec should be verified and supported by
the IPsec WG within the IETF.
This could be an IETF Last Call objection presented to the IESG for
Shim6 base protocol spec. In addition this part of Shim6 requiresmuch better writing and explanation to provide absolute
clarity of the
situation and mechanics for processing IPsec.

Best,
/jim

Follow-Ups:
- Re: IPsec Issue Discussed for Shim6 at IETF Meeting July 10, 2006
  - From: Joe Abley <jabley@ca.afilias.info>

References:
- RE: IPsec Issue Discussed for Shim6 at IETF Meeting July 10, 2006
  - From: "Bound, Jim" <Jim.Bound@hp.com>

Prev by Date: RE: IPsec Issue Discussed for Shim6 at IETF Meeting July 10, 2006
Next by Date: Re: IPsec Issue Discussed for Shim6 at IETF Meeting July 10, 2006
Previous by thread: RE: IPsec Issue Discussed for Shim6 at IETF Meeting July 10, 2006
Next by thread: Re: IPsec Issue Discussed for Shim6 at IETF Meeting July 10, 2006
Index(es):
- Date
- Thread