Yoav Nir <[email protected]> wrote: > The profile specifies that the ACP nodes should use tunnel mode (when > GRE is not used), because: IPsec tunnel mode is required because the > ACP will route/forward packets received from any other ACP node across > the ACP secure channels, and not only its own generated ACP packets.
It's a VTI-type interface.
The TS should be for hostA<->hostB with protocol GRE.
It could be in tunnel or transport mode.
hostA and hostB are identified, btw, with IPv6 LL addresses.
> If I understand the above paragraph correctly, both the source of the
> packet and the destination can be the IP address of any ACP node,
> neither of which are required to be the tunnel endpoints. This implies
> some sort of generic traffic selector. The draft should specify this,
> IMO
The GRE layer and the routing protocol would take care of the ::/0<->::/0
needs, not IPsec.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
