ipsec November 2007 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: RE: [Mobike] [IPsec] RE: TS updates in MOBIKE

RE: [Mobike] [IPsec] RE: TS updates in MOBIKE

From: <Pasi.Eronen_at_nospam>
Date: Mon Nov 05 2007 - 07:22:56 GMT
To: <vidyan@qualcomm.com>

Vidya Narayanan wrote:

> The use case that I presently have in mind is the following. IPsec
> is used in some cases to protect Mobile IPv6 (MIP6) signaling. Some
> systems differentiate between trusted accesses and untrusted
> accesses and while IPsec is always used for MIP6 signaling
> protection in both cases, additional data protection using IPsec may
> be needed over untrusted access networks (between the same
> endpoints). When a mobile is moving from a trusted to untrusted
> access, its IP address changes, but, it also, at the same time,
> needs to update its SA to start protecting all traffic. At the
> moment, the mobile, just to handle this handoff case, needs to do a
> MIP6 signaling exchange, a MOBIKE exchange and a CREATE_CHILD_SA
> exchange. The first two are unavoidable and can happen in parallel,
> while the third one has to occur after the MOBIKE exchange
> completes. This is a latency hit in the critical path that can be
> avoided if the UPDATE_SA notify payload can be part of the
> CREATE_CHILD_SA exchange.

If the IKE implementation supports window size larger than 1, can't the Informational exchange (with UPDATE_SA notify payload) and CREATE_CHILD_SA exchange occur in parallel, too?

Best regards,

IPsec mailing list