Hi Yoav Nir & All Group Member
Thanks for your quick response. I think, instead of user takes special
care by adding extra Rule to allow un-encrypted ND traffic(unicast) ,
There should be some RFC guidelines, such that IPSEC/IKE protocol itself
can take care. It will be problem in Interop also.
Below guidelines can be used.
1. if packet is of IPv6 NS/NA types , IPSEC Policy matches , but
Security Association(SA ) not yet established , then send can send
Un- encrypted packets.
Also Receiver should accept an un-encrypted packet for NS/NA when
IPsec policy matches But No Security Association(SA) presents.
With Regards
Syed Ajim
****************************************************************************
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
****************************************************************************
-----Original Message-----
From: Yoav Nir [mailto:y...@checkpoint.com]
Sent: Thursday, February 18, 2010 2:35 PM
To: 'Syed Ajim Hussain'; ipsec@ietf.org
Subject: RE: [IPsec] IKE6 Negitaion when Peer Address ND not yet started.
Hi, Syed Ajim.
In future please expand acronyms, because while it's safe to assume that
anyone reading this list knows what an SA is, not all of us are proficient
in IPv6 terminology.
Having said that, policies usually have exceptions for protocols, that need
to run in the clear. IKE is an example of such a protocol.
Also, when IPsec is between two hosts that are not on the same subnet, you
don't have a problem - since your local network is not in the policy, all
the neighbor discovery/solicitation/advertisement are in the clear anyway.
You do have a problem when your IPsec peer is on the same subnet. In that
case, you need to have an exception in your policy, that makes these
protocols non-protected. Alternatively, you can get the peer address from a
third party (such as DNS), and use that for IKE, ignoring the IPv6 way of
doing discovery. (IKE still needs an exception) Then the whole neighbor
protocols will run over IPsec like they should. This might require some
messing around with the IPv6 stack.
-----Original Message-----
From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
Syed Ajim Hussain
Sent: Thursday, February 18, 2010 10:41 AM
To: ipsec@ietf.org
Subject: [IPsec] IKE6 Negitaion when Peer Address ND not yet started.
Hi All
IPv6 Peer1 ------------------ IPv6 Peer 2
I have one question, for IKE IPv6 Solution.
Assume in IPsec6 Policy I have configure Source IPv6 Address and
Destination IPv6 Address as Traffic selector, now IPSEC SA is not yet
establish.
When IKE Triggers, SA Negotiation and that time for peer address, ND not
yet done.
In this condition, Initiator starts NS to resolve Peer Address,
Other end replies with NA, which is a Uncast packet Now this unicast
packet is comes under IPsec6 policy, So Peer2 can not send it un-
encrypted, and for encryption SA is not yet ready.
Even if Peer2 sends un-encrypted packets , this NA packet may drop in
Peer1, as it matches IPsec Policy and still packet is un-encrypted.
So, Is there any standard to handle such scenario? Else we need to
update standard to Support IPSEC6/IKE6.
With Regards
Syed Ajim
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
