[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: visibility of identifier in shim6 payload packet

To: "Shinta Sugimoto" <shinta@sfc.wide.ad.jp>, "Francis Dupont" <Francis.Dupont@point6.net>
Subject: RE: visibility of identifier in shim6 payload packet
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
Date: Tue, 1 Aug 2006 11:40:15 -0700
Cc: "shim6-wg" <shim6@psg.com>
In-reply-to: <20060801172803.A0DA.SHINTA@sfc.wide.ad.jp>

 

> -----Original Message-----
> From: Shinta Sugimoto [mailto:shinta@sfc.wide.ad.jp] 
> Sent: Tuesday, August 01, 2006 10:42 AM
> To: Francis Dupont
> Cc: marcelo bagnulo braun; Christian Huitema; shim6-wg; 
> Iljitsch van Beijnum
> Subject: visibility of identifier in shim6 payload packet 
> (was: Re: IPsec !?...)
> 
> Hi Francis,
> 
> (excuse me for changing the subject, but I think it's more
> suitable for the topic being discussed)
> 
> Please find my comments below.
> 
> On Tue, 01 Aug 2006 13:29:07 +0200
> Francis Dupont <Francis.Dupont@point6.net> wrote:
> 
> >  In your previous mail you wrote:
> > 
> >    > To make the use of IPsec impossible as a limited 
> alternative is more
> >    > arguable. To make shim6 and IPsec compatible is a 
> third topics, the
> >    > question was opened by Jim and is not yet closed.
> >    
> >    i don't see any problems with IPSec and shim 
> compatibility.... do you 
> >    see any issues/troubles there? could you expand on this?
> >    
> > => you can read the thread initiated by Jim. To summary 
> there is an issue
> > about what should be the traffic selectors and how to 
> implement a BITW
> > (Bump-in-the-Wire, cf. RFC 4301). As it was already 
> discussed in this
> > list please send questions directly to me (but solution(s) 
> to the list :-).
> 

My understanding of the potential problem is as follows:

- there are multiple ways to implement IPsec:  BITW, BITS, and native

- BITS and BITW operate below the IP layer.  If these types of IPsec
implementations talk to each other, there should be no problem if the
SPD/SAD is defined on the basis of the locators.  There is a problem of
ULID visibility if someone tried to define the SPD/SAD on the basis of
ULIDs

- there is also no problem if two native IPsec implementations talk to
each other using the ULIDs as the IPsec addresses, with both native
IPsec implementations above the shim6 layer

- there is a potential interoperability problem if a native (host)
implementation with SPD/SAD based on ULIDs tries to set up SAs with BITS
or BITW implementations, which don't have visibility into the ULIDs.   

Aside from the native-to-non-native case, I don't really see a problem.
In fact, it should be possible that end-to-end native IPsec is running
between hosts (this end-to-end is based on the ULID) while BITW is used
as an additional IPsec encapsulation between sites (this BITW-BITW is
based on locators).  It may be that mobike techniques can be applied to
allow a BITS host to be multihomed and talk to a BITW gateway.

For the native-to-non-native case, this seems to me to be related to the
IKE NAT traversal problem (RFC3947).  I don't know offhand whether the
IKE extensions defined there could also apply to shim6, or whether more
work is needed, or whether that particular use case is really important.

Tom

Follow-Ups:
- Re: visibility of identifier in shim6 payload packet
  - From: Francis Dupont <Francis.Dupont@point6.net>

References:
- visibility of identifier in shim6 payload packet (was: Re: IPsec !?...)
  - From: Shinta Sugimoto <shinta@sfc.wide.ad.jp>

Prev by Date: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Next by Date: Re: visibility of identifier in shim6 payload packet (was: Re: IPsec !?...)
Previous by thread: visibility of identifier in shim6 payload packet (was: Re: IPsec !?...)
Next by thread: Re: visibility of identifier in shim6 payload packet
Index(es):
- Date
- Thread