Thamilarasu Kandasamy (thamil) writes: > IPv6 nodes use Neighbor Discovery messages for address resolution as > defined in RFC 4861. However on an IPv6 node having IPsec > implementation, if there is an SPD entry with a selector that covers all > IP traffic, Neighbor Discovery messages could potentially be discarded > (especially during system reload) and IKE negotiation be initiated. But > this would eventually fail as the node haven't yet determined the > link-layer address for the given IPv6 address. The RFC 4301 is not > explicit about according any 'special' treatment to Neighbor Discovery > messages. Like in case of IKE messages, we shall make provisions for ND > messages to bypass IPsec protection? Would appreciate feedback/comments > from the working group!
RFC4301 says that all kind traffic goes through SPD, including management traffic , which includes also IPsec management traffic such as IKE. This means that your SPD needs to explictly have passby rules for local management traffic, i.e. things like dhcp, neighbor discovery, router advertisement, router solication, IKE (both IPv4, and IPv6, and both normal IKE, and NAT-T IKE port). So all of those rules should be like just normal IPsec SPD rules, they should not be hardwired to the system (you can of course provide easy way to add all of those, for example if you do not turn "no default management rules" option on, then all of those rules are added automatically when you start your IPsec service). -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
