RE: IPsec Issue Discussed for Shim6 at IETF Meeting July 10, 2006

["Bound, Jim" <Jim.Bound@hp.com>]

Brian and Joe, (thanks).

If ULID is both ID and Locator that is fine.  Here is more on my issue
and sorry for late response traveling and email is a pain.

If when the packet is transmitted and the Locator is not the ULID, AND
the ULID is the SA to decrypt the packet is my concern.  

Here is why.

First that means some form of out-of-band signaling was done to identify
a Locator to a ULID so the decrypt can even happen. This is out of scope
for the IPsec architecture we clearly did not support out-of-band
singaling for IPsec all the way back to the 1994 or 1995 Danvers IETF
meeting when we decided to move to IPsec. 

Second I am concerned about implementations that now assume per IPsec
that in fact the Locator is the SA in the arriving or sending packet to
another node.

Does that help?

Thanks
/jim

> -----Original Message-----
> From: Brian E Carpenter [mailto:brc@zurich.ibm.com] 
> Sent: Tuesday, July 18, 2006 11:04 AM
> To: Joe Abley
> Cc: Bound, Jim; shim6@psg.com
> Subject: Re: IPsec Issue Discussed for Shim6 at IETF Meeting 
> July 10, 2006
> 
> Joe Abley wrote:
> > 
> > On 18-Jul-2006, at 07:24, Brian E Carpenter wrote:
> > 
> >> Sure, in my shim6 world the ULID is an initially valid locator.
> >> Of course, it may become invalid dynamically during the 
> course of a 
> >> session, but that will not invalidate the SA as far as I can see.
> > 
> > 
> > Surely the ULID is static for the lifetime of a session, 
> regardless  
> > of what happens to the locator set?
> 
> Exactly my point; but if the ULID ceases to work as a 
> locator, it no longer has its initial duality as both an ID 
> and a locator.
> And I want to be sure than Jim doesn't see a problem in that.
> 
>      Brian
>