[support] Dynamic keyring with racoon2 operation

Arnaud Ebalard arno at natisbad.org
Tue Jul 7 23:13:10 JST 2009 

Hi,

Brama Subhifajar <first_shaboo at yahoo.com> writes:

>>> 3. Can you tell me about Tunneling Payload and protecting HoTi/CoTi?
>>
>>What do you want to know?
>>
>>Payload protection allows encryption of the traffic between the MN and
>>the HA. So, if your MN is going through an unsecure network, there is no
>>disclosure of (maybe) sensitive data to the unsafe network. Anyway,
>>there is no protection of traffic between HA and CN, so its usefulness
>>might be argued (this list is not the place for this kind of debate anyway).
>>
>>HoTi/CoTi are related to RO, see previous answer.
>
> first I want thank you to Sebastien Decugis and Arnaud Ebalard.
>
> the question number 3, I mean that mechanism  for "Tunneling Payload
> and protecting HoTi/CoTi" what the advantages and disadvantages for
> each mechanism? 
>
> and in which case tunneling payload will be better than protecting
> HoTi/CoTi and protecting HoTi/CoTi will be better than using tunneling
> payload? or there is any rule for each mechanism and operation?

Sorry, I think I fail to understand the question. CoTI are not tunneled
and are not expected to be protected by the spec so I think they are out
of scope. Then, you can either protect all tunnel traffic (e.g. if you
need privacy for your data) or only HoTI (e.g. if your tunneled data
are not worth protecting but you want authentication of your HoT*).

> I try to forge packets with Scapy6  with Sebastien Decugis way, here
> is the log on HA without IPSec :

Scapy6 has been merged upstream in scapy. You can now use Scapy directly
to do what you want. some bugs may have been corrected in the upstream
version. 

> Mon Jul  6 19:05:44 mh_bu_parse: Binding Update Received
> Mon Jul  6 19:05:45 ndisc_do_dad: Dad success
> Mon Jul  6 19:05:45 __tunnel_add: created tunnel ip6tnl1 (9) from 2001:db8:0:2:0:0:0:1 to 2001:db8:0:4:221:63ff:fe30:5e7b user count 1
> Mon Jul  6 19:05:45 MN (2001:db8:0:2:0:0:0:1) does not support IKE session movement.
> Mon Jul  6 19:05:45 mh_send_ba: status 0
> Mon Jul  6 19:05:45 mh_send: sending MH type 6
> from 2001:db8:0:2:0:0:0:1
> to 2001:db8:0:2:0:0:0:2
> Mon Jul  6 19:05:45 mh_send: remote CoA 2001:db8:0:4:221:63ff:fe30:5e7b
> Mon Jul  6 19:06:17 mh_bu_parse: Binding Update Received
> Mon Jul  6 19:06:17 tunnel_mod: modifying tunnel 9 end points with from 2001:db8:0:2:0:0:0:1 to 2001:db8:0:2:0:0:0:2
> Mon Jul  6 19:06:17 __tunnel_mod: modified tunnel iface ip6tnl1 (9)from 2001:db8:0:2:0:0:0:1 to 2001:db8:0:2:0:0:0:2
> Mon Jul  6 19:06:17 __tunnel_del: tunnel ip6tnl1 (9) from 2001:db8:0:2:0:0:0:1 to 2001:db8:0:2:0:0:0:2 user count decreased to 0
> Mon Jul  6 19:06:17 __tunnel_del: tunnel deleted
> Mon Jul  6 19:06:17 MN (2001:db8:0:2:0:0:0:1) does not support IKE session movement.
> Mon Jul  6 19:06:17 mh_send_ba: status 0
> Mon Jul  6 19:06:17 mh_send: sending MH type 6
> from 2001:db8:0:2:0:0:0:1
> to 2001:db8:0:2:0:0:0:2
> ==>Mon Jul  6 19:12:37 mh_bu_parse: Binding Update Received
> ==>Mon Jul  6 19:12:37 mh_send_ba: status 133

from http://www.iana.org/assignments/mobility-parameters/

133    Not home agent for this mobile node         [RFC3775]

> ==>Mon Jul  6 19:12:38 mh_send: sending MH type 6
> ==>from 2001:db8:0:2:0:0:0:1
> ==>to 2001:db8:0:2:0:0:0:2
> ==>Mon Jul  6 19:12:38 mh_send: remote CoA 2001:db8:0:2:221:63ff:fe30:5e7
>
> ==> : is binding update with scapy6.
>
> from log we can see that HA is accept message BU, HA is lost for
> authority BU packet, is this the disadvantage of RO?

Sorry, I don't understand. Can you clarify?
  
> then for Mobile IP  mechanism connection is "break before connect" or
> "connect before break"? I think it is break before connect, because I
> can see "invalid operation" or "operation is not permitted" message
> when MN move to foreign network with pinging to CN from MN, is this
> right?

Right. It's break before connect. If you have multiple interfaces, this
may not be an issue (for instance, unplugging an ethernet cable when
you also have wifi connectivity). If you only have one interface, this
is more a L2 issue than anything else.

If we had time and motivation we could specify and implement a simple
mechanism to check the connectivity with the HA on interfaces that just
came up before switching to those and possibly break a working setup.

> or this is exactly has been connected but HA and MN still need
> some time for building the connecting each other, so the message is
> show "invalid operation" or "operation is not permitted" ? 

Those messages usually show up when the MN switch to another link but
its BU do not reach the HA. But there are other cases.

Cheers,

a+

More information about the Support mailing list