Mark, Mark Smith wrote:
5.1 The above assumes that organisations don't immediately deploy true end-to-end, opportunistic transport mode IPsec between nodes. That being said, if they did deploy end-to-end opportunistic transport mode IPsec, they still can't use site-local addressing when communicating over the Internet.
Well, if the site-local addresses are globally unique, it actually *is* possible to use them internally in the hosts as you communicate over the Internet using a end-to-end IPsec tunnel. You just need some more intelligence and a translation that is very similar to Bellovin's host NAT. In such a case the site-local globally unique addresses would act as end-point identifiers, and they would never be seen in the wire. The hosts would themselves translate them into "normal" IP addresses as a part of IPsec processing. The benefit is that the static global "addresses" protect the applications form address changes caused by mobility, multi-homing and renumbering.
From one point of view, that's the essense of HIP backward compatibility mode. You use global, statistically unique identifiers instead of IP addresses at the application layer, map these to IPsec SAs, and then use normal IP addresses when communicating over the internet. Host ID -> SA -> current IP address(es) of the peer The details are in Bob Moskowitz's HIP drafts.
5.2 I've been meaning to look into whether the ipsec working group have done any work on anything similar to my "bump-in-the-wire transport mode pseudo tunnle" ipsec model but haven't got around to it. I've been intending bring this up in that working group if they haven't. I've been a bit busy recently organising an interstate move unfortunately.
The HIP people have been discussing a "HIP gateway" which would be functionally more-or-less identical to your bump-in-the-wire pseudo-tunnel. Not quite, but close. Furthermore, if we changed the HIP specs so that there was an SL/GUPI compatible wire format for Host Identifiers, the "HIP gateway" would become even close to your bump-in-the-wire pseudo-tunnel, though with an interesting twist.... --Pekka Nikander -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
