From: Timo T. <tim...@ik...> - 2008-10-29 06:34:33
|
Arnaud Ebalard wrote: > Timo Teräs <tim...@ik...> writes: >>>> - patch 3: I'd rather not use sa_ prefix because I find that a >>>> bit confusing. All related addresses are SA addresses >>> Hum, on the contrary, not always. src/dst attributes of phase 2 handle >>> are unrelated to the SA addresses for transport mode when MIPv6 is >>> used (src is usually the CoA, sa_src is the HoA). src/dst are *always* >> Oh? I thought it was the other way? src being HoA and sa_src CoA as >> sa_src is the thing modified by migrate message. > > From a general standpoint, >[snip] > > So, to answer the question, for MIPv6 on the MN, w.r.t struct ph2handle: > > transport mode: src is the CoA (IKE @), sa_src is the HoA (endpoint of SA) > tunnel mode: src is the CoA, sa_src is expected to be NULL (or the CoA too) > > Note that local and remote value in pk_recvmigrate() are given by the > KMADDRESS extension. Sorry for the confusion. I should have read your rfc draft in first place. I was expecting this do something it wasn't designed to do. It makes a whole lot more sense now :) >>> the address used by IKE as source and destination for exchanging >>> packets associated with that SA. When IKE addresses and SA addresses >>> differ, *then* sa_src/sa_dst are no more NULL and they provide access to >>> the endpoints of the SA. >> So sa_* is the actual end point = CoA? > > sa_src/sa_dst, if not NULL are the address of the SA endpoints. Which is > the CoA for tunnel mode and HoA for transport mode. Right. >>>> they just need to be used in different situations. I'd be more happy >>>> with 'coa' from mip6 terminology or something similar. >>> Even if it is usually the CoA that the MIPv6 module will choose for the >>> address to be used by the IKE daemon, this might be another address: the >>> best description for those addresses would be km_src/km_dst or >>> ike_src/ike_dst. >> So essentially the src/dst is used for all IKE messages and the other pair >> for all esp/ah messages? How about ipsec_{src,dst}? > > I let you decide but I initially decided to use sa_* because those are > always the addresses of the SA endpoints, even for tunnel mode. There is > no way one will make a confusion with tunnel selectors for instance. > Having ipsec_* may be less explicit, IMHO. But if you are more > comfortable with that, I will change it. Just tell me. ipsec_* might not be the best term either. Not actually sure what would be the best. I'm starting to think that sa_* as you used, might be the sensible thing. -timo |