[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Hop Limit in Inner Header (IPv6)

To: <ipsec@tis.com>
Subject: Hop Limit in Inner Header (IPv6)
From: Karen Heron <heron@us.ibm.com>
Date: Wed, 15 Apr 1998 07:49:03 -0400
Sender: owner-ipsec@ex.tis.com

In draft-ietf-ipsec-arch-sec-04, 5.1.2.2 IPv6 -- Header Construction for Tunnel
Mode, the inner header Hop Limit is decremented.  This will cause problems for
securing IPv6 NDP traffic.  The hop limit is set to 255 in NDP packets and
checked in the receiving node to make sure it came from the same link.  If this
NDP exchange is secured using tunnel mode and the hop limit is decremented
before the packet is encapsulated, the receiving node will reject the NDP
packet and neighbor discovery will fail, even if the two nodes are on the same
link.  Should the Hop Limit not be decremented for locally generated traffic?
If not, I don't see how NDP traffic can be secured using tunnel mode - maybe
I've missed something in the drafts that said this.  If this question has
already been answered, I'd appreciate a pointer to the discussion (I didn't see
it in the archives).

Karen Heron
Router Development
IBM, RTP, NC

Follow-Ups:

Re: Hop Limit in Inner Header (IPv6)

From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

Prev by Date: Re: Radius authentication and client configuration
Next by Date: Re: Radius authentication and client configuration
Prev by thread: Re: byte order
Next by thread: Re: Hop Limit in Inner Header (IPv6)
Index(es):
- Main
- Thread