[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec !?, was: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

To: marcelo bagnulo braun <marcelo@it.uc3m.es>
Subject: Re: IPsec !?, was: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
From: Francis Dupont <Francis.Dupont@point6.net>
Date: Tue, 01 Aug 2006 15:29:28 +0200
Cc: shim6-wg <shim6@psg.com>
In-reply-to: Your message of Tue, 01 Aug 2006 15:46:08 +0300. <0e47fb965aaa318d05f1a0e91d28a17f@it.uc3m.es>

 In your previous mail you wrote:

   > => but this is not true: in MIPv6 RO both addresses (locator/care-of
   > and ULID/home) are in all packets.

   so, how does this affects the IPSEc processing? I mean the shim6 
   processing (and the MIP processing) are both performed before the IPSEc 
   processing,

=> thw word before without the context (inbound/outbound) has no meaning...

   so the ULIDs are restored to the IPv6 header address 
   fields, so in both cases there is a address restoration before the 
   IPSec processing

=> read the RFC 4301 for the definition of a BITW.

   I mean, i would really like to address this issue and make the changes 
   required to the shim6 protocol spec in order to satisfy this concern, 
   but i simply fail to understand what the problem is...

=> of course, you don't know what is a BITW.

   having a 
   detailed statement of what the problem is and why this is different 
   that what occurs in other protocols like mip would be really useful to 
   move forward (or at least it would be really useful for me to 
   understand what the problem is)

   if others do understand the problem and could enlighten me, i would 
   appreciate it...

=> Jim's argument is based on architectural considerations but ends with
the same issue: you have the locators when you need the ULIDs.   

Regards

Francis.Dupont@point6.net

PS: from RFC 4301 section 3.3:

   c. The use of a dedicated, inline security protocol processor is a
      common design feature of systems used by the military, and of some
      commercial systems as well.  It is sometimes referred to as a
      "bump-in-the-wire" (BITW) implementation.  Such implementations
      may be designed to serve either a host or a gateway.  Usually, the
      BITW device is itself IP addressable.  When supporting a single
      host, it may be quite analogous to a BITS implementation, but in
      supporting a router or firewall, it must operate like a security
      gateway.

I know some real cases of BITW, the first one in Steve Bellovin's laptop
at the IETF (a Linux PC-Card acting as both an Ethernet NIC and
an IPsec BITW, BTW the laptop itself ran NetBSD), another in a Cisco
router (simply because it was to hard/expensive/... to integrate it
directly into the box itself) and many other examples in military
contexts (where there are very good reasons to use BITW).

BTW shim6 is very stack-integration oriented, perhaps it should consider for
itself other kinds of implementations...

References:
- Re: IPsec !?, was: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

Prev by Date: Re: IPsec !?, was: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Next by Date: visibility of identifier in shim6 payload packet (was: Re: IPsec !?...)
Previous by thread: Re: IPsec !?, was: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Next by thread: visibility of identifier in shim6 payload packet (was: Re: IPsec !?...)
Index(es):
- Date
- Thread