[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Extension header vs destiantion option



 In your previous mail you wrote:

   We have discussed this issue in the design team, and as far as i 
   remember. people that were involved in the design on MIPv6 argued for 
   using a new extension header rather than using a destination option. 

=> the problem was possible piggy-backing of the mobility header and
the compatibility with the current version of IPsec. The adopted solution
is to use a terminal header with a format compatible with an extension
header (to be able to change the decision) and to update IPsec architecture
with support of extension headers as selectors.

   The reasons for that, AFAIU, are the problems that appeared when using 
   the destination option. These were basically due to the fact that 
   Destination options are no ordered within the Destination Option 
   extension header.

=> no, this has nothing to do with MIPv6/IPsec issue.

   In addition there is the issue brought by Iljitsch, about the 
   destination option header being processed after the IPSec related 
   header. This seems to be in opposition with the architecture of the 
   shim, where the shim resides below the IPsec.

=> IMHO you are making a common confusion with the way IPsec is applied:
outgoing IPsec processing has two phases: in the first phase one decides
what processing is needed according to selectors (so this phase must
be done before shim application) and in the second phase processing is
applied on the packet, usually on the whole packet because of AH.
So the choice of where to put the IPsec extension header is more free
than you can believe...

   I guess that Erik or Jari could expand on this topic, but AFAIU, we 
   should consider a new Extension header rather than a Destiantion 
   option.
   
=> I don't like at all new extension header because this in fact supposes
to change all the boxes which look at inside packets: QoS classifiers,
firewalls, etc, just because there is no way to recognize and skip
a new extension header (note this includes end systems but they should
receive only packets they are supposed to know how to handle :-).

Regards

Francis.Dupont@enst-bretagne.fr