[support] IKE (v2) and IPsec implementation in a NEPL context

Georgopoulos, Panagiotis panos at comp.lancs.ac.uk
Fri Feb 19 09:10:19 JST 2010 

Hello Romain,

	Thanks for jumping in as what you say is useful!

	Let's set aside the MTU issue for now, the problem seems to be
exactly that; the HA does not process the double tunnelled packet right
(Sebastien: it is not actually the nested MR that has the problem. The
nested MR side seems to work fine as we thought and it works in a "just
another IPv6 device" from the gateway MR's point of view). 

	So the problem is that (at least this is what I see in wireshark)
the HA removes the first tunnel correctly and then drops the packet (it
doesn't seem to reiterate it in order to catch double/triple tunnelling
cases). Sadly, I haven't had the time to debug this properly (yet), but if
this is indeed the problem, then Romain might be right that if the packet
from the nested MR is then destined to another HA, it might work! I'll try
this out and let you know..

	Cheers,
	Panos



> -----Original Message-----
> From: Romain KUNTZ [mailto:kuntz at unistra.fr]
> Sent: Thursday, February 18, 2010 10:17
> To: Sebastien Decugis
> Cc: Georgopoulos, Panagiotis; support at jules.nautilus6.org
> Subject: Re: [support] IKE (v2) and IPsec implementation in a NEPL context
> 
> Hi,
> 
> I didn't follow the discussion from the beginning, so I'm sorry if the
> following was already discussed. Two problems I see with nested cases when
> IPsec is enabled on both the MR and the nested MR/MNN:
> - MTU issues: the double IPsec'ed tunnel might cause packet too bigs for
> routers in the MR-HA path, and I'm not sure if the MR handles ICMPv6
"packet
> too big" messages correctly.
> - The HA may have issues with double IPsec tunneled packets : I'm not sure
if
> such packets are processed correctly on the HA side. Did you try with 2
> different HA ? (one for the MR, one for the nested MR/MNN - this is a
> workaround but I'm pretty sure it would work).
> 
> Cheers,
> romain
> 
> On 2010/02/18, at 3:06, Sebastien Decugis wrote:
> 
> > Hi,
> >
> > Glad that my comments were useful :)
> >
> >> In my mind having an MR behind an MR is not that tricky and can arise
in
> the
> >> real world very easily.
> >
> > If Mobile IPv6 / NEMO gets widely deployed (public transports, ...), yes
> > I agree, this situation will be likely to occur (a car inside a train?
> > :D ). Anyway, I honestly don't think we are close to this point right
> > now :) But, please tell me if you feel otherwise!
> > Two years ago, I was more under the impression that network providers
> > were more interested by network-managed solutions such as PMIP6, which
> > probably makes more sense from the point of view of operation. Anyway, I
> > agree that NEMO can also be a network-managed solution, so it can
> > eventually find its way to the "real world" -- unless "new generation"
> > solutions such as id/locator split come first...
> >
> >> But for the shake of understanding, indeed the
> >> nested case is a further step from the simple case, that is getting an
MR
> >> supporting MNN :-)
> >>
> >
> > Well, I must confess I was really surprised when I first heard about the
> > nested case. To me it seemed only natural that it should work just "out
> > of the box", since the traffic from a nested MR or an MNN should be
> > exactly the same thing from the point of view of the MR and HA. But, for
> > some reason (I don't remember exactly why, sorry), it is not so
> > simple... Hence the need for more tests ^^.
> >
> > Best regards,
> > Sebastien.
> > _______________________________________________
> > Support mailing list
> > Support at ml.nautilus6.org
> > http://ml.nautilus6.org/mailman/listinfo/support
> >
>

More information about the Support mailing list