[support] IPSec in NEMO BS with static keys

Georgopoulos, Panagiotis panos at comp.lancs.ac.uk
Tue Aug 25 23:58:00 JST 2009 

Hello Sebastien,

	Please see some comments inline

> > Knowing that umip takes care of the SPD is very useful. I must have
> been
> > confused as the guide here
> > (http://member.wide.ad.jp/tr/wide-tr-nautilus6-configuring-ipsec-for-
> shisa-m
> > ipl-00.pdf) uses some configuration files that add spd entries
> manually
> > (using spdadd)
> >
> The SHISA stack is different from UMIP. In that case, one has actually
> to insert the SPD entries by hand. But in the UMIP case, it is handled
> by the daemon (not the SAD, though).
> 

I see, maybe that should be mentioned in the nautilus website as the above
guide is the only one regarding ipsec and static keys and what you mentioned
is a huge difference in the implementation stack and makes a difference to
anyone trying to use it as a guide. 

Judging from Romain's email there is a constant effort to update
documentation and maintain the code which is extremely good and helpful so
that more people would be interested to investigate and support this effort
more. 


> > Now that I am starting to find my way around sad and spd it seems
> that
> > finding them using the requid is easier. It is very surprising that
> there
> > isn't any documentation out there describing them...
> >
> It's quite a general issue in Linux, especially all XFRM-related things
> (superset of IPsec)... :-s
> 
> > By the way what is the difference between an "in ipsec" and "fwd
> ipsec" in
> > the spd? How would that operate differently from either the MR's or
> the HA's
> > point of view?
> >
> The rules that are matched are different if the local host is an
> endpoint of the packet or not. I don't exactly remember how the rules
> are matched between IN, OUT and FWD. Simply put, a forwarded packet
> does
> not go through IN then OUT rules. (I seem to remember it's FWD + OUT
> but
> I am not sure at all!)

Hm, I am doing some tests in my current setup to try and find out in
practise which rules are matched. Basically I am running pings across my
testbed and checking what the setkey -PD reports in the last used field. 
(as a side note, why the rule for the BU is created every time a BU is sent,
and it does not just update its timestamp? Are the rules being removed from
the spd after a while? Is there a timer that expires? This does not seem to
be the case with other rules though..)

It is far from easy to realize how the rules are used:-/ When you say above
that FWD +OUT rule is matched, in what case do you refer to ? Is it the case
of an MR forwarding MN's traffic up the tunnel? Because bellow you are
saying that a fw packet will not follow the OUT rule...


> 
> Signaling (example: BU, BA) will therefore match IN and OUT rules on
> the
> MR and HA, while tunneled encapsulated traffic will match FWD rules.
> That's the reason for having FWD rules in the case of NEMO, while
> "simple" UMIP does not need this.
> 
> It's a quite tricky topic, probably because it's so difficult to find
> documentation on this...

You are very correct on this and it is certainly due to the lack of
documentation. I found some papers regarding xfrm but still they are not
helping a lot... 

A good idea would be to document xfrm and ipsec policies and rules (probably
on nepl's website) as this would help people to understand the whole concept
a lot easier.

> 
> I hope this helps!

Everything that I hear on the topic, helps ;-) Thanks!

> Best regards,
> Sebastien.
> 

Cheers,
Panos

More information about the Support mailing list