Hi: Does strongSwan/Linux IPSEC have any specific provisions for dealing with ICMPv6 neighbor discovery?
For example, to deal with the IKE chicken-and-the-egg problem described by "Limitations of IPsec Policy Mechanisms", by Arkko and Nikander, http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.108.70&rep=rep1&typ e=pdf: "Let us assume that Alice wants to communicate with Bob over the local link. Since all she initially has is Bob's IP address, she must first find Bob's link layer address. To do so, she must run the Neighbor Discovery protocol. Now, if all traffic between Alice and Bob is expected to be secured, this would imply that even the messages used for finding Bob's link-layer address would have to be secured. In order to secure these messages, a security association between Alice and Bob needs to be established. To do so, some UDP packets would have to be exchanged first, in order to run IKE or the non-existing multicast key management protocol. However, in order to send such UDP packets, the link-layer address of Bob would have to be known to Alice, and vice versa." Thanks, Stephen
<<attachment: winmail.dat>>
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
