[support] Dynamic keyring with racoon2 operation
Sebastien Decugis
sdecugis at hongo.wide.ad.jp
Mon Jul 6 17:26:09 JST 2009
Hi,
It's good to see that it finally worked :)
> it is like on tutorial, but if it observed the change about IKEv2 is only happen when MN move to foreign network for the first time.
> so when I move to furthermore deferent network, the IKEv2 exchange is not seeing, it is normal like that?
Yes it is the expected behavior. IKEv2 messages are exchanged only when
the SA (to protect BU/BA or MPS/MPA) are missing. After the SA is
created, further BU/BA can be exchanged without need for creating a new
SA. Note that IKEv2 exchanges will start again when the SA lifetime is
expired (it's configured in the racoon2 configuration file), although
you will only see CHILD_SA_CREATE exchanges.
> is IKE2 changed only once at the first? if yes, why it don't change on every move?
Creating new SA is expensive in terms of CPU and delay, so it's better
to avoid it. Here when the MN moves, the endpoints of the SA are updated
so that there is no need for re-negotiating the SA.
> 2. I have read, MIPv6 have Return Routability capability, the RR procedure is not seeing on signaling, and I was trying to use option "MNDoRouteOptimization = enabled" and "IPSec = enable" the daemon say its impossible. can you tell me why?
IPsec protection for Route Optimization (RO) is not implemented yet. I
am not even sure if it is already specified. You might want to check this:
http://tools.ietf.org/html/draft-ebalard-mext-ipsec-ro-01
I don't think an implementation is already available anyway (Arnaud can
confirm this).
> 3. Can you tell me about Tunneling Payload and protecting HoTi/CoTi?
What do you want to know?
Payload protection allows encryption of the traffic between the MN and
the HA. So, if your MN is going through an unsecure network, there is no
disclosure of (maybe) sensitive data to the unsafe network. Anyway,
there is no protection of traffic between HA and CN, so its usefulness
might be argued (this list is not the place for this kind of debate anyway).
HoTi/CoTi are related to RO, see previous answer.
Best regards,
Sebastien.
More information about the Support
mailing list