For network layer security, two models are applicable: end-to-end
security, e.g. using IPsec transport mode, or security that is
limited to the wireless portion of the network, e.g. using a
security gateway and IPsec tunnel mode. The disadvantage of the
latter is the larger header size, which is significant at the
6lowpan frame MTUs. To simplify
I am not in favor of security gateway, but if we do, it will not
necessarily increase the
packet overhead of lowpan becuase I assume the security gateway
will be at the edge
of the lowpan network - right ?
The security gateway is at the edge and converts unsecured packets on
the outside into secured packets on the inside by encapsulating them
in ESP.
This is called tunnel mode, so the whole packet is encapsulated, and
we finally have two IP headers.
The inner IP header, as it is protected (integrity protected and
encrypted) is not subject to 6lowpan header compression, unless we
invent a new scheme for compressing within ESP (but see also draft-
ertekin-rqts-hcoipsec-01.txt).
If we implement IPSec tunnel mode - in lowpan then there is a
significant overhead which
is not desirtable. Should we even consider IPSec tunnel mode
within the 6lowpan network? Or does the above mean that the IPSec
tunnel at the security gateway?
Well, it starts at the security gateway and ends at the 6lowpan
device in order to secure the 6lowpan part of the path.
In effect, we are making the life of the 6lowpan device harder in
order to make the life of the extra-6lowpan system easier.
Not a tradeoff I particularly like, which is why I prefer end-to-end
security (transport mode).
In conjunction with IPSec, we also need to mention that 6lowpan
will need to choose an
appropriate key-management scheme applicable for 6lowpan
characteristics.
Right.
Bob proposed looking at IKEv2 and finding a suitable profile (subset)
that is small enough implementable in 6lowpan devices.
Gruesse, Carsten
_______________________________________________
6lowpan mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/6lowpan
