[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT traversal and its relation to IPv6 [RE: Comments on draft -tsirtsis-dsmip-problem-01.txt]
In your previous mail you wrote:
> No, I want Mobile IPv6 to not require its MN-HA tunnel to
> be v6-in-v6
> but to require it to be either v6-in-v6 or v6-in-v4.
>
> => you can't do that with Mobile IPv6 itself but it is still possible
> to use an alternative, i.e., something which looks like Mobile IPv6
> but works for both IP versions. If you wouldn't like to get routing
> optimization (something a bit hard in this case :-), I suggest the
> "road warrior" IPsec VPN. But, even if RFC 2401 is clearly for any
> combination of IP versions, I am afraid that the v6-in-v4 is rarely
> supported...
=> Francis,
The IPsec VPN "road warrior" scenario is only applicable
to just those "road warriors".
=> I disagree, the only missing pieces are the v6-in-v4 support and
a more friendly processing of handoffs.
You can certainly extend MIPv6
to _allow_ v6 in v4 tunnels, which is what Alex was asking.
=> no, this is not easy at all because MIPv6 doesn't use only tunnels.
You have to introduce IPv4 Care-of addresses and this is a major change.
I don't see why someone who wants seamless roaming and already
has MIP is required to have another IPsec anchor
=> not another one, just rename the Home Agent into the Security Gateway.
Note you already have some IPsec between the Mobile Node and its Home
Agent.
somewhere
on the Internet. It's not what IPsec is used for and it doesn't
need to be.
=> extra security should not be a problem. The IPsec protection of
all packets through the MN-HA tunnel is already an option, and IMHO
this will be a commonly used option because the initial/last wireless
segment of the path is not known for its security.
Regards
Francis.Dupont@enst-bretagne.fr
PS: note that I suggest IPsec as an example of alternatives. There are
many other ways to manage v6-in-v* tunnels, IPsec is just the standard
one when someone'd like extra security.