[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 02027) Re: Combining IPsec and Mobile IPv6

To: a.buc@xxxxxxxxxx
Subject: (usagi-users 02027) Re: Combining IPsec and Mobile IPv6
From: Noriaki Takamiya <takamiya@xxxxxxxxxxxxx>
Date: Thu, 12 Dec 2002 21:57:39 +0900 (JST)
Cc: usagi-users@xxxxxxxxxxxxxx
In-reply-to: <00e201c2a1ba$9d34afe0$0201000a@PCRILLO>
References: <3DEDD90A0000BA8B@mail-6.tiscalinet.it> <20021211.162341.884010753.takamiya@po.ntts.co.jp> <00e201c2a1ba$9d34afe0$0201000a@PCRILLO>
Reply-to: usagi-users@xxxxxxxxxxxxxx

Hello,

(Added CC for the ML)

>> Thu, 12 Dec 2002 09:43:58 +0100
>> [Subject: Re: (usagi-users 02020) Combining IPsec and Mobile IPv6]
>> "Andrea" <a.buc@xxxxxxxxxx> wrote...

a.buc>      CN
a.buc>         |
a.buc>     Router --- HA--- AP
a.buc>        |
a.buc>       --------- HA ---AP   ))))    ((( MN
a.buc> 
a.buc> 
a.buc> where AP = Access Point
a.buc> The problem is when MN moves from its home to the other AP...
a.buc> I setup SA between MN and CN, but of course IPsec doesn't work when MN
a.buc> has a care-of address because there is no SA between MN's Care-of Address
a.buc> and CN's Address
a.buc> and between MN's Care-of Address and Home Agent.

  IMHO, I think you should use SA between CN's address and MN's Home
  address.

  I tested to work with the SA which defines ESP on the TCP between
  CN's address and MN's Home Address.

  But I failed with AH. I'll fix.

  Logically, when using SA between CN's address and MN's Care-of
  address, you need some dynamic key exchange protocol.

  But in this implementation, when sending packets from MN, SA is
  searched for MN's Home Address. Care-of Address and Home Address is
  replaced at NF_HOOK(LOCAL_OUT)(IPsec calculation is already done).

  So, IPsec SA between CN's address and MN's Care-of address will fail.

  Regards,

--------------------------------------------------
# IPsec for ESP
# HoA is MN's Home Address
# CNADDR is CN's Address

pfkey -A sa -s HoA -d CNADDR -T esp -S 0x5678 -p tcp --auth hmac-md5 --authkey 0x0123456789abcdef0123456789abcdef --esp 3des-cbc --espkey 0xa7a36ebd91863edfba763fa7edcba64d89123ace6359eba7
pfkey -A sp -s HoA -d CNADDR -T esp -S 0x5678 -p tcp
pfkey -A sa -s CNADDR -d HoA -T esp -S 0x1234 -p tcp --auth hmac-md5 --authkey 0x0123456789abcdef0123456789abcdef --esp 3des-cbc --espkey 0xa7a36ebd91863edfba763fa7edcba64d89123ace6359eba7
pfkey -A sp -s CNADDR -d HoA -T esp -S 0x1234 -p tcp
--------------------------------------------------
Noriaki Takamiya

References:
- (usagi-users 02020) Combining IPsec and Mobile IPv6
  - From: a . buc
- (usagi-users 02024) Re: Combining IPsec and Mobile IPv6
  - From: Noriaki Takamiya

Prev by Date: (usagi-users 02026) Re: Combining IPsec and Mobile IPv6
Next by Date: (usagi-users 02028) network initialization issue when
Previous by thread: (usagi-users 02024) Re: Combining IPsec and Mobile IPv6
Next by thread: (usagi-users 02026) Re: Combining IPsec and Mobile IPv6
Index(es):
- Date
- Thread