[support] IKE (v2) and IPsec implementation in a NEPL context
Romain KUNTZ
kuntz at unistra.fr
Thu Feb 18 19:17:06 JST 2010
Hi,
I didn't follow the discussion from the beginning, so I'm sorry if the following was already discussed. Two problems I see with nested cases when IPsec is enabled on both the MR and the nested MR/MNN:
- MTU issues: the double IPsec'ed tunnel might cause packet too bigs for routers in the MR-HA path, and I'm not sure if the MR handles ICMPv6 "packet too big" messages correctly.
- The HA may have issues with double IPsec tunneled packets : I'm not sure if such packets are processed correctly on the HA side. Did you try with 2 different HA ? (one for the MR, one for the nested MR/MNN - this is a workaround but I'm pretty sure it would work).
Cheers,
romain
On 2010/02/18, at 3:06, Sebastien Decugis wrote:
> Hi,
>
> Glad that my comments were useful :)
>
>> In my mind having an MR behind an MR is not that tricky and can arise in the
>> real world very easily.
>
> If Mobile IPv6 / NEMO gets widely deployed (public transports, ...), yes
> I agree, this situation will be likely to occur (a car inside a train?
> :D ). Anyway, I honestly don't think we are close to this point right
> now :) But, please tell me if you feel otherwise!
> Two years ago, I was more under the impression that network providers
> were more interested by network-managed solutions such as PMIP6, which
> probably makes more sense from the point of view of operation. Anyway, I
> agree that NEMO can also be a network-managed solution, so it can
> eventually find its way to the "real world" -- unless "new generation"
> solutions such as id/locator split come first...
>
>> But for the shake of understanding, indeed the
>> nested case is a further step from the simple case, that is getting an MR
>> supporting MNN :-)
>>
>
> Well, I must confess I was really surprised when I first heard about the
> nested case. To me it seemed only natural that it should work just "out
> of the box", since the traffic from a nested MR or an MNN should be
> exactly the same thing from the point of view of the MR and HA. But, for
> some reason (I don't remember exactly why, sorry), it is not so
> simple... Hence the need for more tests ^^.
>
> Best regards,
> Sebastien.
> _______________________________________________
> Support mailing list
> Support at ml.nautilus6.org
> http://ml.nautilus6.org/mailman/listinfo/support
>
More information about the Support
mailing list