[support] IPSec in NEMO BS with static keys

Romain KUNTZ kuntz at lsiit.u-strasbg.fr
Thu Aug 27 18:47:18 JST 2009 

Hi,

On 2009/08/27, at 3:47, Sebastien Decugis wrote:
>> I see, maybe that should be mentioned in the nautilus website as  
>> the above
>> guide is the only one regarding ipsec and static keys and what you  
>> mentioned
>> is a huge difference in the implementation stack and makes a  
>> difference to
>> anyone trying to use it as a guide.
>>
> Well, the guide you refer mention that SHISA is the mobility stack of
> NetBSD and FreeBSD in its introduction... Furthermore, it's a  
> technical
> report from 2006, we cannot really change its content.

Actually the N6 website references the document as "Configuring IPsec  
for SHISA/MIPL", I've changed it to "Configuring IPsec for SHISA". The  
content of the document itself still references MIPL, however we  
cannot modify it as it is not hosted by us.

Once we have updated our doc about UMIP and IPsec static keying, I  
will add a pointer to it just beside the one for SHISA. I hope this  
will make things clearer.


>> Judging from Romain's email there is a constant effort to update
>> documentation and maintain the code which is extremely good and  
>> helpful so
>> that more people would be interested to investigate and support  
>> this effort
>> more.
>>
> The configuration of the mobility daemon is shown in that tutorial
> (referenced from the NEMO tutorial):
> http://www.nautilus6.org/~sdecugis/dynamic_keying/Howto_dynamic_keying.html
> In the context of the tutorial, we are dealing with dynamic SA. But
> since SA are handled outside of the daemon, they can be added
> statically. You are right that this should be mentioned somewhere. I
> believe that Romain is updating its NEMO tutorial to include some  
> notes
> about configuration of static IPsec (with your set of  
> configuration ;) )
>
> I hope these changes will help newcomers to find their way in this
> complex world :)

Yes, I'll complete the document with the IPsec static keying  
configuration. It was in my TODO list for too long already :-/

>> You are very correct on this and it is certainly due to the lack of
>> documentation. I found some papers regarding xfrm but still they  
>> are not
>> helping a lot...

Some papers you may find useful (these may be the one you talked about  
though):

- "USAGI IPv6 IPsec Development for Linux"
http://hiroshi1.hongo.wide.ad.jp/hiroshi/papers/SAINT2004_kanda-ipsec.pdf

- "IPv6 IPsec and Mobile IPv6 implementation of  Linux"
http://ols.fedoraproject.org/OLS/Reprints-2004/Reprint-Miyazawa-OLS2004.pdf

- "Linux IPv6 Stack Implementation Based on Serialized Data State"
http://hiroshi1.hongo.wide.ad.jp/hiroshi/papers/yoshifuji_Mar2004.pdf

Cheers,
romain

More information about the Support mailing list