[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

shim and IPsec placement [Was: Middleboxes]



Christian Huitema wrote:

Actually, I would like an option to run the shim inside IPSEC. It
prevents meddling by intermediate boxes. It also mitigates the privacy
risks associated with shim6.

Isn't that what the MOBIKE WG is effectively trying to do?
An implication of layering multihoming support above IPsec is that IKE/IPsec needs to get involved to either create new SAs when locators change, or have a way to "rehome" existing SAs to use different locators.


FWIW The approach put forth by the multi6 DT was to run the shim below IPsec. The shim6 WG could of course decide to do something different, but there is no outline on the table for a scheme which runs above IPsec. Is anybody working on such a scheme? (other than mobike?)

   Erik