[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT traversal and its relation to IPv6 [RE: Comments on draft -tsirtsis-dsmip-problem-01.txt]

To: 'Francis Dupont' <Francis.Dupont@enst-bretagne.fr>
Subject: RE: NAT traversal and its relation to IPv6 [RE: Comments on draft -tsirtsis-dsmip-problem-01.txt]
From: Soliman Hesham <H.Soliman@flarion.com>
Date: Mon, 8 Sep 2003 13:07:38 -0400
Cc: v6ops@ops.ietf.org

 >    The IPsec VPN "road warrior" scenario is only applicable
 >    to just those "road warriors".
 > 
 > => I disagree, the only missing pieces are the v6-in-v4 support and
 > a more friendly processing of handoffs.

=> I was talking in regards to the deployment scenarios
and not necessarily the protocol solution. 

 > 
 >    You can certainly extend MIPv6
 >    to _allow_ v6 in v4 tunnels, which is what Alex was asking. 
 > 
 > => no, this is not easy at all because MIPv6 doesn't use 
 > only tunnels.
 > You have to introduce IPv4 Care-of addresses and this is a 
 > major change.

=> I don't see it as a major change. It's fairly straight 
forward. We have one example of doing so in:

http://www.ietf.org/internet-drafts/draft-soliman-v4v6-mipv4-00.txt


 > 
 >    I don't see why someone who wants seamless roaming and already
 >    has MIP is required to have another IPsec anchor
 > 
 > => not another one, just rename the Home Agent into the 
 > Security Gateway.
 > Note you already have some IPsec between the Mobile Node and its Home
 > Agent.

=> Only for MIPv6 signalling. It's not used in MIPv4 and 
it's not required to protect traffic in v4 or v6. It would be an 
unnecessary overhead if we used it for all packets.

 > 
 >    somewhere 
 >    on the Internet. It's not what IPsec is used for and it doesn't
 >    need to be. 
 >    
 > => extra security should not be a problem. 

=> It's a problem when it's not needed because it adds significant
overhead.

   The IPsec protection of
 > all packets through the MN-HA tunnel is already an option, and IMHO
 > this will be a commonly used option because the initial/last wireless
 > segment of the path is not known for its security.

=> Your comments on the security of last hop are not accurate
for cellular systems. But of course, sometimes you need e2e
security, I agree. However, there is a big difference between
that and mandating e2e security for all traffic. 
If we wanted to manage mobility with IPsec why did we 
ever develop MIP! ;)

 > PS: note that I suggest IPsec as an example of alternatives. 
 > There are
 > many other ways to manage v6-in-v* tunnels, IPsec is just 
 > the standard
 > one when someone'd like extra security.

=> Sure.

Hesham


 >

Prev by Date: Re: NAT traversal and its relation to IPv6 [RE: Comments on draft -tsirtsis-dsmip-problem-01.txt]
Next by Date: Re: WG Last Call: three draft-ietf-v6ops-ipv4survey-*01 documents
Previous by thread: RE: NAT traversal and its relation to IPv6 [RE: Comments on draft -tsirtsis-dsmip-problem-01.txt]
Next by thread: 3GPP Analysis -05 published ... -> wglc (?)
Index(es):
- Date
- Thread