Re: [Ipsec] IPv6 with Ipsec and Racoon issue
Jari Arkko <jari.arkko@piuha.net> Wed, 16 May 2007 06:47 UTC
Return-path: <ipsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HoDHq-0002yY-0v; Wed, 16 May 2007 02:47:02 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HoDHo-0002yT-Cd for ipsec@ietf.org; Wed, 16 May 2007 02:47:00 -0400
Received: from p130.piuha.net ([193.234.218.130]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HoDHm-0003qj-Vq for ipsec@ietf.org; Wed, 16 May 2007 02:47:00 -0400
Received: from p130.piuha.net (localhost [127.0.0.1]) by p130.piuha.net (Postfix) with ESMTP id B5E1B1986A5; Wed, 16 May 2007 09:46:57 +0300 (EEST)
Received: from [127.0.0.1] (p130.piuha.net [193.234.218.130]) by p130.piuha.net (Postfix) with ESMTP id 7319A1986A3; Wed, 16 May 2007 09:46:57 +0300 (EEST)
Message-ID: <464AA8E2.40109@piuha.net>
Date: Wed, 16 May 2007 09:46:58 +0300
From: Jari Arkko <jari.arkko@piuha.net>
User-Agent: Thunderbird 1.5.0.10 (X11/20070306)
MIME-Version: 1.0
To: Philip Bellino <pbellino@mrv.com>
Subject: Re: [Ipsec] IPv6 with Ipsec and Racoon issue
References: <4D8794260B62C940BBA7150CC5EB3BD4B4ABD7@bosmail.BOS.int.mrv.com>
In-Reply-To: <4D8794260B62C940BBA7150CC5EB3BD4B4ABD7@bosmail.BOS.int.mrv.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b19722fc8d3865b147c75ae2495625f2
Cc: IPsec <ipsec@ietf.org>
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Errors-To: ipsec-bounces@ietf.org
Philip, > Running ipsec-tools-0.6.7 on a Linux client and host. > I use Racoon with pre-shared keys and Security Policies with ESP/AHs > configured for IPv4 and IPv6. > > There is no problem with IPv4. > > I see a chicken and the egg problem with IPv6. > > An ICMPv6 Neighbor Solicitation goes from Host A to Host B. This is > o.k. because it is not subject to IPsec. > The ICMPv6 Neighbor Discovery from Host B is not o.k. because since > there exists a SP that requires ESP/AH, it triggers an SA negotiation. > I wrote a draft about this many, many years ago: http://www.arkko.com/publications/draft-arkko-icmpv6-ike-effects-01.txt http://www.arkko.com/publications/draft-arkko-manual-icmpv6-sas-01.txt Basically, you need to set up specific policies to avoid running IPv6 ND under IKE-negotiated SAs. An implementation that I had in the 1990s did this automatically. Some other implementations that I know have this hardcoded, too. Not sure what Racoon does, maybe you need to specify policies manually. The problems that we run into were also a reason for creating SEND (RFC 3971) which is a non-IPsec based security mechanism for ND. Jari _______________________________________________ Ipsec mailing list Ipsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] IPv6 with Ipsec and Racoon issue Philip Bellino
- Re: [Ipsec] IPv6 with Ipsec and Racoon issue Jari Arkko
- Re: [Ipsec] IPv6 with Ipsec and Racoon issue Joy Latten