[support] Dynamic keyring with racoon2 operation

[Arnaud Ebalard]

Hi,

Sebastien Decugis <sdecugis at hongo.wide.ad.jp> writes:

> It's good to see that it finally worked :)
>
>> it is like on tutorial, but if it observed the change about IKEv2 is
>> only happen when MN move to foreign network for the first time. 
>> so when I move to furthermore deferent network, the IKEv2 exchange is
>> not seeing, it is normal like that? 
>
> Yes it is the expected behavior. IKEv2 messages are exchanged only when
> the SA (to protect BU/BA or MPS/MPA) are missing. After the SA is
> created, further BU/BA can be exchanged without need for creating a new
> SA. Note that IKEv2 exchanges will start again when the SA lifetime is
> expired (it's configured in the racoon2 configuration file), although
> you will only see CHILD_SA_CREATE exchanges.
>
>> is IKE2 changed only once at the first? if yes, why it don't change
>> on every move? 
>
> Creating new SA is expensive in terms of CPU and delay, so it's better
> to avoid it. Here when the MN moves, the endpoints of the SA are updated
> so that there is no need for re-negotiating the SA.

The mechanism to do that is specified in the following document:

http://tools.ietf.org/html/draft-ebalard-mext-pfkey-enhanced-migrate-00

>> 2. I have read, MIPv6 have Return Routability capability, the RR
>> procedure is not seeing on signaling, and I was trying to use option
>> "MNDoRouteOptimization = enabled" and "IPSec = enable" the daemon say
>> its impossible. can you tell me why ?
>
> IPsec protection for Route Optimization (RO) is not implemented yet. I
> am not even sure if it is already specified. You might want to check this:
> http://tools.ietf.org/html/draft-ebalard-mext-ipsec-ro-01
>
> I don't think an implementation is already available anyway (Arnaud can
> confirm this).

Yes, there is currently no usable implementation available. At the
moment, UMIP prevents the simultaneous use of an IPsec-protected data
tunnel with the HA and the use of RO with CN.

Cheers,

a+