te36 <t...@cs.fau.de> wrote:
    > Assume i have a p2p subnet with two routers attached. I want to use IPsec
    > to protect all IPv6 traffic on that subnet and make it "invisible" to all
    > IP protocols as much as possible. So i set up an IPsec SA between the two
    > and set the SPD on both sides to protect all traffic.

    > So this will work fine, and i vendors are supporting it, but i am not 
    > of an RFC specifying this. For example, what would you put into the 
    > address option of IPv6 ND packets. I assume this would be the underlying
    > link-layer address (eg: ethernet address), but thats not 100% obvious.

I have no idea why you would asking that question.
What link layer are you speaking about?  It's just IP inside the tunnel.
Why would there be ND inside the tunnel?  It's a PPP tunnel.

    > So, thats the simple case. Lets consider now i have 3 (or 30) routers on 
a LAN and
    > want to protect it with IPsec. Usually, i could not create multiple SAs
    > across a single interface (from what i have seen in products). There are
    > products that allow you to create a virtual IPsec subnet, but those are 
    > eg: you create a full mesh of SAs and on every router you see two separate
    > virtual IPsec p2p interfaces, each operating the same as the above p2p 
    > except that the implementation might be different.


    > But i would rather like to see a single multiaccess subnet interface on 
    > router so that i can fully reflect the underlying topology. And any 
    > using multicast would continue to operate. Its not really that difficult,
    > as i already said in my first email:

The reason you don't see such a specification is because it isn't specified.
While we have some multicast key management protocols for IPsec, they aren't
aimed at securing a subnet.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     m...@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

IPsec mailing list

Reply via email to