[support] Dynamic keyring with racoon2 operation
Sebastien Decugis
sdecugis at hongo.wide.ad.jp
Wed Jul 8 10:15:01 JST 2009
Hello,
Brama Subhifajar a écrit :
> from log we can see that HA is accept message BU, HA is lost for
> authority BU packet, is this the disadvantage of RO?
I think I see your point. You mean that even if mip6d is configured for
IPsec protection of BU/BA, it will accept non-encrypted BU when RO is
enabled (I am not sure what happens when RO is not enabled).
It is not possible in the daemon or kernel (currently) to prevent this.
The solution is to have a firewall configured on your HA to reject any
incoming BU with the Home Registration flag set, and no encryption. It
is totally separated from mip6d.
I hope I am answering the question...
Best regards,
Sebastien.
More information about the Support
mailing list