[support] IPSec in NEMO BS with static keys

Georgopoulos, Panagiotis panos at comp.lancs.ac.uk
Fri Aug 28 02:56:34 JST 2009 

Hello Sebastien,

	Thanks for your email. See comments bellow...

> -----Original Message-----
> From: Sebastien Decugis [mailto:sdecugis at hongo.wide.ad.jp]

(snip)

> > It is far from easy to realize how the rules are used:-/ When you say
> above
> > that FWD +OUT rule is matched, in what case do you refer to ? Is it
> the case
> > of an MR forwarding MN's traffic up the tunnel? Because bellow you
> are
> > saying that a fw packet will not follow the OUT rule...
> >
> Yes it was more a general comment about XFRM transformation rules. You
> have IN and OUT rules. For routers, a forwarded packet would logically
> go first through IN rules, then through OUT rules. But in XFRM you have
> also FWD rules, and forwarded packets (the local node is neither source
> nor destination) will match these rules. In the case of forwarded
> packet
> (yes, for example, a packet from MNN to CN, when it reaches the MR) the
> packet is matched with the FWD rules upon reception. I am not so sure
> if
> it also go through OUT rules before being sent.

It seems that you remember rightly;-) 

My tests also suggest that a packet from a MNN to a CN via an MR, goes
through MR's FWD and then OUT rules. To me it seemed more logical that the
packet would go through IN rules when it reaches the MR and then follow the
FWD rule instead of OUT, but maybe this is just how my mind perceives it. 
 
Just to clarify it again (as I do not want to confuse anyone in the list) a
packet that is being forwarded from an MR seems to be following FWD and then
OUT rules.

It seems that IN equals "I am going to consume the packet, the packet is
destined at me", FWD equals "the packet is not for me" and OUT is always
followed. 


> In the MR for example,
> the forwarding is quite complex with regards to IPsec rules if you are
> protecting traffic between MR and HA. Imagine a MR with 2 mobile
> networks MN1 and MN2. you must forward in clear packets from MN1 to
> MN2,
> but encrypt packets from MN1 to CN (through HA). You can see the
> complete set of rules we came to in the MR in the daemon's code :)

This is a good example. So, in the case of forwarding traffic from MN1 to
MN2, and because the MR is neither source nor destination) the rules should
hit FWD and then OUT rules, but I guess that because there are no rules for
IPSec-ing that part, the packets should hit the FWD+OUT and then be sent
unencrypted, is that right?

> 
> > You are very correct on this and it is certainly due to the lack of
> > documentation. I found some papers regarding xfrm but still they are
> not
> > helping a lot...
> >
> > A good idea would be to document xfrm and ipsec policies and rules
> (probably
> > on nepl's website) as this would help people to understand the whole
> concept
> > a lot easier.
> >
> Yes, it would be great, but I think nobody in Nautilus6 has the
> resources to do that... As you may have read, the project is terminated
> and we only do volunteer support now, with limited time. But if you
> want
> to write such a guide, it would surely be useful for a lot of people ;)
> 

Yes, I know that the project has been terminated and it is very good to see
you guys offer your time and resources to support it voluntarily;-) 

In order for me to write a guide about these rules, I have to firstly
understand them very well, don't I? And this will take some time:!

Thanks for your help,
Panos

More information about the Support mailing list