On Tue, Feb 25, 2020 at 10:17:30PM +0200, Yoav Nir wrote:
> ipsec is this group???s mailing list. I don???t know that there even is an
> [email protected] <mailto:[email protected]>
Yepp. Silly me. Didn't check that ipsecme was keeping the old mailing list name.
> I read a little more. Hope you don???t mind.
>
> The profile seems fine to me.
Great!
> There is one thing that I think is missing.
>
> The profile specifies that the ACP nodes should use tunnel mode (when GRE is
> not used), because:
> IPsec tunnel mode is required because the ACP will route/forward
> packets received from any other ACP node across the ACP secure
> channels, and not only its own generated ACP packets. With IPsec
> transport mode, it would only be possible to send packets originated
> by the ACP node itself.
> OK. When IKEv2 is used to negotiate tunnel-mode SAs (and transport mode, but
> that???s not important here) they need an IPsec policy that specifies traffic
> selectors so that IKEv2 can specify traffic selectors. Nowhere in your draft
> do I see a specification of what traffic selectors need to be negotiated.
>
> If I understand the above paragraph correctly, both the source of the packet
> and the destination can be the IP address of any ACP node, neither of which
> are required to be the tunnel endpoints. This implies some sort of generic
> traffic selector. The draft should specify this, IMO
Great catch.
How about:
The traffic selector for the SA MUST be set to IPv6 ANY ANY (::/0, ::/0).
(was trying to find an RFC with the same requirement, but to difficult to grep
;-)
Cheers
toerless
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
