[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPsec Issue Discussed for Shim6 at IETF Meeting July 10, 2006

To: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>, <shim6@psg.com>
Subject: RE: IPsec Issue Discussed for Shim6 at IETF Meeting July 10, 2006
From: "Bound, Jim" <Jim.Bound@hp.com>
Date: Mon, 7 Aug 2006 10:32:59 -0400
In-reply-to: <77F357662F8BFA4CA7074B0410171B6D01A2F52E@XCH-NW-5V1.nw.nos.boeing.com>

On out-of-band As a note I was a supporter of SKIP.  Good point I had my
terminology backwards. What we are doing in shim6 is in-band-signaling.
So exactly my point thanks for the old references that is good hunting
on your part.

Thanks
/jim 

> -----Original Message-----
> From: Henderson, Thomas R [mailto:thomas.r.henderson@boeing.com] 
> Sent: Wednesday, August 02, 2006 12:02 PM
> To: Bound, Jim; shim6@psg.com
> Subject: RE: IPsec Issue Discussed for Shim6 at IETF Meeting 
> July 10, 2006
> 
>  
> 
> > -----Original Message-----
> > From: Bound, Jim [mailto:Jim.Bound@hp.com]
> > Sent: Tuesday, July 11, 2006 3:44 AM
> > To: shim6@psg.com
> > Subject: IPsec Issue Discussed for Shim6 at IETF Meeting 
> July 10, 2006
> > 
> > Per the Chairs to WG,
> > 
> > Currently for Shim6 the ULIDs are used to encrypt and decrypt the 
> > Shim6 packet per discussions on this with the authors for IPsec.
> > This is done
> > and possible because there is a context associated with the locator 
> > pair from out-of-bound message exchange at each end point 
> to identify 
> > the ULIDs for location pair association.  This means the 
> locator pair 
> > in the IP header are not used for IPsec encyrpt and decrypt 
> as is done 
> > today according to IPsec.
> > 
> > This is using out-of-bound signals to set up IPsec and was 
> > specifically rejected as a method for IPsec when defining the IPsec 
> > architecture back in 1995 at IETF Danvers meeting. In addition this 
> > type of use of IPsec should be verified and supported by 
> the IPsec WG 
> > within the IETF.
> > 
> 
> Jim,
> Can you clarify this historical note?  I wasn't around for 
> the IPsec discussions then but I did go back to look at the 
> mail list at the time and it seems that, in fact, IPsec did 
> adopt an out-of-band signaling exchange (IKE), and that 
> in-band (SKIP proposal) was rejected.  Here is the start of a 
> thread on this subject:
> http://www.sandelman.ottawa.on.ca/ipsec/1995/02/msg00096.html
> but you seem to be using the terminology differently.
> 
> I can't find it written down anywhere that the locator pair 
> in the IP header on the wire must be those used at the point 
> of IPsec processing for encrypt and decrypt.
> 
> Tom
> 
>

Prev by Date: RE: IPsec Issue Discussed for Shim6 at IETF Meeting July 10, 2006
Next by Date: Re: visibility of identifier in shim6 payload packet
Previous by thread: Re: IPsec Issue Discussed for Shim6 at IETF Meeting July 10, 2006
Next by thread: Multiple security mechanisms
Index(es):
- Date
- Thread