Bound End-to-End Tunnel mode for ESP InfraHIP Diego Beltrami BEET Bound End-to-End Tunnel mode for ESP InfraHIP Diego Beltrami

Overview draft-nikander-esp-beet-mode-03.txt New IPsec mode in addition to transport and tunnel modes Essential for clean interface from HIP implementations to OS kernel

Current status It took three months to implement the patch successfully Patch for Linux Kernel 2.6.12.2 has been submitted to the Linux community Discussion about whether implement BEET also for AH is going on

Features The implementation is similar to the tunnel mode API. As a result the SP contains the inner addresses and SA the outer A mandatory virtual device for BEET (like sit0, etc.) could have been introduced but we chose not to because some other protocols than HIP may want to bind the inner addresses freely to whatever interface they choose

Testing 1 In order to assure the quality of the patch some tests have been carried out. All tests were successful Does not break transport and tunnel mode All inner-outer combinations with varying test applications: ICMP, ICMP6, FTP, SSH, nc, nc6 Works with fragmented packets Interoperability with HIPL Real machines, virtual machines Tested with long data stream

Testing 2 Mobility and multihoming have also been tested with the patch and they work fine: During a TCP session IP addresses of the device and interfaces have been changed manually as well as the Security Associations As a result the TCP traffic continued successfully with different outer addresses and different interfaces

Conclusion The major difficulty in the implementation was the hybrid cases where the address families of the outer and inner addresses are different BEET patch is waiting for acceptance in the Linux tree source