Jen Linkova <[email protected]> wrote: > On Tue, Jan 23, 2024 at 10:10 PM Michael Richardson > <[email protected]> wrote: >> While the whole point of the SPI7/8 mechanism is that it can be operated >> completely without IKEv2 involved at all.
> So I was working on the text which focuses on SPI7/8 case only, when I
> got stuck.
> Let's say a device sends an ESP Echo request packet but no replies are
received.
> How can the sender differentiate between:
> - there is a problem with e2e ESP connectivity
> - the receiver doesn't support ESP Ping, so the packet with SPI=7 is
> just silently discarded?
They can't. That's okay.
When they determine that they can't prove good connectivity, they will start
investigating the source of the bad connectivity, and the next step would be
to go to the receiver side and start ESP Ping Requests.
Note that they do not necessarily have to do that from the IPsec gateway
machine. They do discover whether it supports this feature, though, which
helps them distinguish the case. Yes, often this involves walking some
inexperienced person through some menus they didn't know about, and that has
failure cases all of it's own. But, for the case where two semi-competent
admins are debugging a site-to-site tunnel configuration, there is still a win.
It is possible to send ESP Ping Requests (in IPv6 world) from any machine
behind the gateway, assuming the gateway doesn't try to put them in a tunnel,
*or* from any machine adjacent to the gateway. It's the plug my laptop in on
the DMZ and debug stuff technique.
> It looks like the ESP ping capability needs to be negotiated.
> The question is: shall it be another IKEv2 Configuration attribute or
smth else?
> Anyway it means that the proposed mechanism can not be completely
> uncoupled from IKE...
No, let's not go there.
I thought we had an ICMP Parameter Problem that was to be returned on unknown
SPI. While perhaps something that many implementations would turn off, it
would also allow one to distinguish the two.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
