On 05/19/2014 02:53 PM, Miika Komu wrote:
Hi,
On 05/19/2014 09:08 PM, Robert Moskowitz wrote:
I have a real need to provide ESP tunnel mode from a HIP client to a
gateway. The world just won't go as nicely as I would have wanted it
to.
location-based security is old fashioned :(
At the application layer, tunnel mode may have some implications on
the IPv4-IPv6 interoperability aspects of HIP.
I have thought a lot about this, and BOY does it ever mess this up.
There would need to be IPv4/v6 signalling within the ESP tunnel to make
this work. The VPN interface (separate from the HIP interface) would
'know' if the incoming packet was v4 or v6, and would tag the ESP header
appropriately?
Or no, wait, not so simple. Actually the addresses ARE in the inner
headers, I am getting confused with a HIP proxy that does not maintain
an identity for each non-HIP host :) But can ESP tunnel mix and match
v4 and v6 inner packets...
Oh my head hurts!
_______________________________________________
Hipsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/hipsec
