Hello, During testing, the UNH-IOL has encountered a behavior with regards to the handling of Traffic Selectors that causes interoperability issues.
The issue center around the handling of this quote from RFC 5996, Section 2.9: “To enable the responder to choose the appropriate range in this case, if the initiator has requested the SA due to a data packet, the initiator SHOULD include as the first Traffic Selector in each of TSi and TSr a very specific Traffic Selector including the addresses in the packet triggering the request.” We've seen that implementations acting as the responder handle the Very Specific Traffic Selector in different ways, resulting in non-interoperability. Some implementations reject the connection, due to not matching configured selectors, while other implementations accept only this traffic selector, inadvertently narrowing the tunnel. This also causes a detrimental oddity when the data packet causing SA creation is an ICMPv6 Echo Request. In this case, both TSi and TSr indicate ICMPv6, type 80, Code 00. This is a special case, since ICMP has no source and destination port. What should the proper behavior be for a packet type with no source and destination port? The UNH-IOL would very much appreciate any thoughts the Working Group might have regarding this behavior! Best Regards, Timothy Carlin ---- Timothy Carlin UNH-IOL [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
