Hi Paul and Michael, thanks for your explanations.
Michael Richardson <mcr+i...@sandelman.ca> wrote:
> Paul Wouters <p...@nohats.ca> wrote:
> > > If you want to do the traceroute to determine how far ESP
> > > actually gets, you need to make sure every node supports
> > > the ESPping.
> >
> > I think people meant to extend traceroute to use an ESP packet
> > instead of an ICMP or UDP packet. The machines in the middle
> > do not need any special support because any packet that hits
> > TTL=0 should solicite an ICMP response.
>
> That's right, and we yeah, we can do that immediately.
> Perhaps obviously: The responding server needs to implement this
> protocol in order to get a reply though.
It seems to me that extending the traceroute by using an ESP packet can be done
right now and has no requirement for the ESP packet format. Any ESP packets can
work with this mechanism, and there is no need for the designated SPIs.
The receiver will send back an ICMP response when it receives the ESP packet
with TTL=0, no matter what this ESP packet actually looks like. The receiver
can be the on-path firewalls or routers, and the final IPsec peer.
So, the IPsec sender can determine that the ESP packet can pass through to the
IPsec peer by using this extended traceroute mechanism and successfully
receiving the ICMP response from the final IPsec peer.
For the purpose of testing the results of ESP packets traversing the network
prior to IKE negotiation, is this extended ESP traceroute mechanism enough to
use? Is it still necessary to define the ESP-ping mechanism?
Regards & Thanks!
Wei PAN (潘伟)
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
