[support] IKE (v2) and IPsec implementation in a NEPL context
Georgopoulos, Panagiotis
panos at comp.lancs.ac.uk
Sat Feb 13 02:18:17 JST 2010
Hello Sebastien,
Thank you very much for your reply. This is really useful indeed:)
Before I make some comments inline, let me try and clarify the
following. Why do we need to modify both nepl and racoon to support dynamic
keying? Is it because we want racoon to handle the creation, modification
and deletion of SAs (meaning that it should handle the SAD) and get NEPL to
handle the SPD?
In theory, if NEPL fully supports IPSec, it should be able to handle
the SPD anyway, so for example in the case of static keying. Am I right that
NEPL does not fully support IPSec and as you said the nested case -and maybe
other scenarios- suffer?
I think, this just verifies what I have asked in the past, that NEPL
does not currently support IPSec in the nested case even with static keys
(sorry I am not trying to be picky, just want to clarify things!)
Please see further comments inline..
> >
> > Seeing a recent IKEv2 post and as this is something that I was also
> > looking at, I thought to ask in the list whether someone has managed
> > to get dynamic keying (ie. IKEv2) in nepl? Does the same principles
> > described in [1] for mipv6+racoon from Sebastien apply?
> >
>
> Almost, yes. The work on IKEv2 dynamic keying for NEPL was started when
> Nautilus6 was active, and we got it working to some extent (not much
> tests unfortunately, so there are probably some bugs around) -- but
> then unfortunately Nautilus6 was terminated.
Hmm, would it be too weird to ask to what extend? (I understand that you
might not remember but just thought to try asking!). Am I guessing right
that this work would be mainly in ipsec.c/h and keygen.c/h ?
> The mechanism is very similar to the one from MIPv6, except that the
> traffic selectors are more complex in some situations (example: if the
> traffic from MNN needs to be tunneled).
> In addition, I doubt that nested scenarios (a mobile node inside the
> mobile network) would work with the current implementation, it may
> require more important changes.
And I think you are right here...
> In any case, the current NEPL patch already includes our latest work on
> the dynamic keying, so you can start from there and see how it works...
> I recommend to start with:
> - dynamic keying for the mobile node, it can be tricky ^^.
> - static keying for NEPL. This also is not so simple...
..and here.. I have verified that static keying for a nested NEMO case is
not working...
(http://ml.nautilus6.org/pipermail/support/2010-February/001644.html )
In addition, Arno had verified that he had problems getting ipsec working
for a MN behind an MR (so this might lead to bugs in ipsec umip code?)...
http://ml.nautilus6.org/pipermail/support/2009-September/001592.html
> Then you can try the "level 2" ;-)
>
> > Has anyone got any experience or insight to share on which one of the
> > above is better and why? I am thinking of them more in a nepl
> context, but even a more general or mipv6 discussion will be intresting;-)
>
> In Nautilus6 we used to work with (patched) racoon2 -- since it was 2
> years ago, the patchs do not apply anymore, you'll have to understand
> the changes we were doing and adapt to the new code...
More information about the Support
mailing list