[strongSwan] strongSwan/Linux IPSEC and ICMPv6 ND

Stephen Pisano pisano at alcatel-lucent.com
Thu Aug 5 20:51:01 CEST 2010


Does strongSwan/Linux IPSEC have any specific provisions for dealing with
ICMPv6 neighbor discovery?  

For example, to deal with the IKE chicken-and-the-egg problem described by

"Limitations of IPsec Policy Mechanisms", by Arkko and Nikander,

"Let us assume that Alice wants to communicate with Bob over the local link.
Since all she initially has is Bob's IP address, she must first find Bob's
link layer address. To do so, she must run the Neighbor Discovery protocol.
Now, if all traffic between Alice and Bob is expected to be secured, this
would imply that even the messages used for finding Bob's link-layer address
would have to be secured. In order to secure these messages, a security
association between Alice and Bob needs to be established. To do so, some
UDP packets would have to be exchanged first, in order to run IKE or the
non-existing multicast
key management protocol. However, in order to send such UDP packets, the
link-layer address of Bob would have to be known to Alice, and vice versa."


-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 6730 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100805/d18c66a2/attachment.bin>

More information about the Users mailing list