[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT traversal and its relation to IPv6 [RE: Comments on draft -tsirtsis-dsmip-problem-01.txt]

to add to this conversation, tunnel broker with tsp does manage v*-in-v*
with security (aaa). if the outer v* address change (i.e. v4 address change
for v6 over v4 tunnels), then the tunnel is automatically re-established
with the broker: "mobility feature". the ipsec need can be handled on the
appropriate IP version.

Marc.

-- lundi, septembre 08, 2003 17:45:05 +0200 Francis Dupont
<Francis.Dupont@enst-bretagne.fr> wrote/a ecrit:

>  In your previous mail you wrote:
> 
>       
>     >    No, I want Mobile IPv6 to not require its MN-HA tunnel to 
>     > be v6-in-v6
>     >    but to require it to be either v6-in-v6 or v6-in-v4.
>     >    
>     > => you can't do that with Mobile IPv6 itself but it is still
> possible     > to use an alternative, i.e., something which looks like
> Mobile IPv6     > but works for both IP versions. If you wouldn't like to
> get routing     > optimization (something a bit hard in this case :-), I
> suggest the     > "road warrior" IPsec VPN. But, even if RFC 2401 is
> clearly for any     > combination of IP versions, I am afraid that the
> v6-in-v4 is rarely     > supported...
>    
>    => Francis, 
>    
>    The IPsec VPN "road warrior" scenario is only applicable
>    to just those "road warriors".
> 
> => I disagree, the only missing pieces are the v6-in-v4 support and
> a more friendly processing of handoffs.
> 
>    You can certainly extend MIPv6
>    to _allow_ v6 in v4 tunnels, which is what Alex was asking. 
> 
> => no, this is not easy at all because MIPv6 doesn't use only tunnels.
> You have to introduce IPv4 Care-of addresses and this is a major change.
> 
>    I don't see why someone who wants seamless roaming and already
>    has MIP is required to have another IPsec anchor
> 
> => not another one, just rename the Home Agent into the Security Gateway.
> Note you already have some IPsec between the Mobile Node and its Home
> Agent.
> 
>    somewhere 
>    on the Internet. It's not what IPsec is used for and it doesn't
>    need to be. 
>    
> => extra security should not be a problem. The IPsec protection of
> all packets through the MN-HA tunnel is already an option, and IMHO
> this will be a commonly used option because the initial/last wireless
> segment of the path is not known for its security.
>    
> Regards
> 
> Francis.Dupont@enst-bretagne.fr
> 
> PS: note that I suggest IPsec as an example of alternatives. There are
> many other ways to manage v6-in-v* tunnels, IPsec is just the standard
> one when someone'd like extra security.
> 



------------------------------------------
Marc Blanchet
Hexago
tel: +1-418-266-5533x225
------------------------------------------
http://www.freenet6.net: IPv6 connectivity
------------------------------------------