Re: Comments on draft-ietf-mobileip-mipv6-ha-ipsec-04.txt

[Bernard Aboba <aboba@internaut.com>]

Thanks. This looks good. Some comments:

>       "We have chosen to require an encapsulation format for return
>        routability and payload packet protection which can only be
>        realized if the destination of the IPsec packets sent from the
>        home agent can be changed as the mobile node moves. One of the
>        main reasons for choosing such a format is that it removes the
>        overhead of twenty four bytes when a home address option or
>        routing header is added to the tunneled packet. Such an overhead
>        would not be significant for the protection of the return
>        routability packets, but would create an additional overhead if
>        IPsec is used to protect the tunneling of payload packets to the
>        home agent. This overhead may be significant for real-time
>        traffic. Given that the use of the shorter packet formats for
>        any traffic requires the existence of suitable APIs, we have
>        chosen to use the shorter packet formats also for the protection

"use" -> "require support for"

>        of the return routability packets.  (Note that packet formats
>        and header ordering discussed in Section 3 must be supported,
>        but implementations may also support other formats. Some
>        implementations may therefore also support the protection of
>        payload packets using the home address as the gateway address.)
>
>        In order to support the care-of address as the gateway address
>        on the mobile node side, the home agent must act as if the
>        gateway address of a security association to the mobile node
>        would have changed upon movements. Implementations are free to
>        choose any particular method to make this change, such as using
>        an API to the IPsec implementation to change the parameters of
>        the security association, removing the security association and
>        installing a new one, or modification of the packet after it has
>        gone through IPsec processing. The only requirement is that
>        after registering a new binding at the home agent, the next
>        IPsec packets sent on this security association will be
>        addressed to the new care-of address."

One question that arises is how the MN and HA can use anything other than
the "mandatory to implement" encapsulation. For example, if an MN sends a
tunneled HOTI packet with SA=CoA and an HAO and the HA doesn't support it,
what happens? Presumably the HA sends an error message (which one?) and then
the MN MUST use the mandatory-to-implement encapsulation, no?

>       "Note that the difficulties with main mode and preshared secrets
>        in IKE version 1 are well known for dynamic addresses. With
>        static addresses, there has not been a problem. With Mobile
>        IPv6, however, the use of the care-of addresses to run IKE
>        towards the home agent presents a problem even when the home
>        address stays stable."

Might add "See Section 7 for details."