[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: visibility of identifier in shim6 payload packet (was: Re: IPsec !?...)
El 03/08/2006, a las 19:18, Iljitsch van Beijnum escribió:
On 2-aug-2006, at 15:41, marcelo bagnulo braun wrote:
i am not sure what do you mean at the same time.... these would be
different ways to implement BITW compatibility that need to be
negotiated in the shim6 protocol (or either the processing is done
completelly in the BITW device or the ULID pair option is included in
the payload header, so that the BITW device can restore the ULIDs)
fwiw i am perfectly ok with doing only the first option...
So basically this means that IF a host with bump-in-the-wire IPsec
support MUST implement the shim in the BITW module and the host itself
MUST NOT do shim6?
well i would rephrase it a bit differently
a host may have different shim6 and IPSec implementations, native and
If the host is using BITW IPSEc , then if it wants to implement the
shim, it must use the BITW shim implementation... after all, if it is
using the BITW IPSec, then the packet is already in the hardware device
when it enters the IPSec module, and if we want to do something below
IPSec we must do it in the hardware device itself, right?
If the host is using native IPSec, the it can use either BITW shim or
native shim, since there is no constraints about the packet already
being placed in the hardware device
The second option isn't an option because information in the packet
can't be trusted.
why not? I mean, what we are talking here is about implementations,
right? the protocol and the security features/mechaisms are exactly the
same, independetly of the implementation, right? i mean a BITW shim
implementation still uses HBAs and other shim6 security features, only
that in this case, the processing is implemented in hardware, right?