Re: does mobike support end-to-end use of tunnel mode?

Erik Nordmark wrote:

> If you apply MOBIKE to such a case, then you end up with an unsolved 
> address ownership issues, because the existence of the IPsec SAs, 
> which now use a different outer remote address, will prevent a 
> different host which has "inherited" that outer address from 
> establishing a SA with the same peer.

Lets talk about this case first without the inner=outer case. Generally,
you can have multiple IKEv2 SAs from the same address, and the fact
that they are from the same address says nothing about their "sameness";
the SAs have their own authorization, keying material, etc. Even if they
come from the same address, they migh be have different inner
address authorizations, for instance.

Secondly, the inner and outer addresses are also unrelated. What's
in the outer address does not necessarily pay any role in the authorization
of specific inner addresses in the child SAs.

Thirdly, MOBIKE is not a fully fledged mobility protocol in the same
way as SHIM6 or MIPv6 are. Specifically, it does not provide its own
stable identifier, but relies instead on the inner addresses for being
stable. This implies that its incompatible with the model where
inner=outer or where transport mode is used. (That does not mean,
however, that it would be impossible to extend it to do these things.)

> Clarifying question: for this case are you assuming that the inner and 
> outer IP addresses for the tunnel must be different?
>
> I think tunnel mode can be used (per the RFCs even if implementations 
> might not handle it) where the inner and outer IP addresses are the same. 

It can, but I don't think there's any magic associated with it. Its still
the same old child SA authorization that applies. If your PAD is
correctly set up, you can start with inner=outer and then move
to another location while keeping your inner address the same.

--Jari