2 Feb 2006 20:46
Re: does mobike support end-to-end use of tunnel mode?
Joe Touch <touch <at> ISI.EDU>
2006-02-02 19:46:03 GMT
2006-02-02 19:46:03 GMT
Erik Nordmark wrote: > Pasi.Eronen <at> nokia.com wrote: > > >>Well... if you have host-to-host tunnel mode IPsec working in a >>secure manner, MOBIKE could work as well. But this situation >>is pretty rare. > > > Clarifying question: for this case are you assuming that the inner and > outer IP addresses for the tunnel must be different? > > I think tunnel mode can be used (per the RFCs even if implementations > might not handle it) where the inner and outer IP addresses are the same. In that case, it doesn't seem like the inner packet shouldn't be accepted. The outer packet would be accepted because it is matches an IPsec rule and is properly signed. The inner packet, after decapsulation, should match the same rule, at which point it should look like an unsigned packet, which should be discarded. Joe
RSS Feed