RFC8994 says: 6.8.3.1. Native IPsec
An ACP node that is supporting native IPsec MUST use IPsec in tunnel mode, negotiated via IKEv2, and with IPv6 payload (e.g., ESP Next Header of 41). It MUST use local and peer link-local IPv6 addresses for encapsulation. Manual keying MUST NOT be used, see Section 6.2. Traffic Selectors are: TSi = (0, 0-65535, :: - FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF) TSr = (0, 0-65535, :: - FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF) IPsec tunnel mode is required because the ACP will route and/or forward packets received from any other ACP node across the ACP secure channels, and not only its own generated ACP packets. With IPsec transport mode (and no additional encapsulation header in the ESP payload), it would only be possible to send packets originated by the ACP node itself because the IPv6 addresses of the ESP must be the same as that of the outer IPv6 header. ---- I know that we did many rounds to get this right, but I feel that maybe we did it wrong. The goal are packets that look like: (a) IPv6-LL ESP[nh=41] IPv6-ULA[1] ULP Rather than packets that look like: (b) IPv6-LL ESP(nh=41) IPv6-LL[nh=41,4] IPv6-ULA[2] ULP The TS are "everything", so one in fact needs policy based routing on top of this in order to make anything work. What we actually want are transport-mode ESP packets that transport IPIP packets between ACP nodes. It looks identical to (a) on the wire, but it's wired into the network stack slightly differently. Why didn't we say this? -- Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
