Dear ipsec WG, When working on a VPN implementation we found that it's very difficult to rely on IPv6 ESP packets because many networks drop them, so even if IKE negotiation succeeds, the data plane might be broken. Worse, this can happen on migrate, blackholing an existing session until the problem is detected and fixed with another migration.
In many cases, I think a simple "pre-flight check" to see if ESP is supported on a given network path could solve this problem. So after a few conversations with folks here I put together this draft. It provides the equivalent of an ESP ping packet. Comments and feedback appreciated. Cheers, Lorenzo ---------- Forwarded message --------- From: <[email protected]> Date: Tue, Jul 25, 2023 at 7:01 PM Subject: New Version Notification for draft-colitti-ipsecme-esp-ping-00.txt To: Lorenzo Colitti <[email protected]> A new version of I-D, draft-colitti-ipsecme-esp-ping-00.txt has been successfully submitted by Lorenzo Colitti and posted to the IETF repository. Name: draft-colitti-ipsecme-esp-ping Revision: 00 Title: ESP Echo Protocol Document date: 2023-07-25 Group: Individual Submission Pages: 5 URL: https://www.ietf.org/archive/id/draft-colitti-ipsecme-esp-ping-00.txt Status: https://datatracker.ietf.org/doc/draft-colitti-ipsecme-esp-ping/ Html: https://www.ietf.org/archive/id/draft-colitti-ipsecme-esp-ping-00.html Htmlized: https://datatracker.ietf.org/doc/html/draft-colitti-ipsecme-esp-ping Abstract: This document defines an ESP echo function which can be used to detect whether a given network path supports IPv6 ESP packets. The IETF Secretariat
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
