1 / 7

BEET

Bound End-to-End Tunnel mode for ESP InfraHIP Diego Beltrami. BEET. Overview. draft-nikander-esp-beet-mode-03.txt New IPsec mode in addition to transport and tunnel modes Essential for clean interface from HIP implementations to OS kernel. Current status.

omar-owen
Download Presentation

BEET

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bound End-to-End Tunnel mode for ESP InfraHIP Diego Beltrami BEET

  2. Overview • draft-nikander-esp-beet-mode-03.txt • New IPsec mode in addition to transport and tunnel modes • Essential for clean interface from HIP implementations to OS kernel

  3. Current status • It took three months to implement the patch successfully • Patch for Linux Kernel 2.6.12.2 has been submitted to the Linux community • Discussion about whether implement BEET also for AH is going on

  4. Features • The implementation is similar to the tunnel mode API. As a result the SP contains the inner addresses and SA the outer • A mandatory virtual device for BEET (like sit0, etc.) could have been introduced but we chose not to because some other protocols than HIP may want to bind the inner addresses freely to whatever interface they choose

  5. Testing 1 • In order to assure the quality of the patch some tests have been carried out. All tests were successful • Does not break transport and tunnel mode • All inner-outer combinations with varying test applications: ICMP, ICMP6, FTP, SSH, nc, nc6 • Works with fragmented packets • Interoperability with HIPL • Real machines, virtual machines • Tested with long data stream

  6. Testing 2 • Mobility and multihoming have also been tested with the patch and they work fine: • During a TCP session IP addresses of the device and interfaces have been changed manually as well as the Security Associations • As a result the TCP traffic continued successfully with different outer addresses and different interfaces

  7. Conclusion • The major difficulty in the implementation was the hybrid cases where the address families of the outer and inner addresses are different • BEET patch is waiting for acceptance in the Linux tree source

More Related