[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RFC 2401 section 5.2.1
In your previous mail you wrote:
On Wed, 22 Nov 2000 itojun@iijlab.net wrote:
> most of routing protocol needs to somehow protect IPv6 source address,
> as they will use (peers') IPv6 source address as the nexthop router
> information...
Many of the death-to-AH enthusiasts also favoring killing transport mode
=> I know... but IMHO the tunnel mode is not very primitive, ie. this is
tunnel plus transport plus clarifications about inner/outer addresses.
and doing everything with tunnel mode, in which case the inner headers --
the ones that would be visible to applications -- are fully protected.
(Notably, they can be encrypted as well as authenticated, if desired.)
=> VPN is not the only usage of IPsec and transport mode is better for
end-to-end security.
About the tunnel mode, for IPv6 there is an important implementation choice:
to use a policy or to use an interface (with link-local addresses,
neighbor discovery, ...).
Regards
Francis.Dupont@enst-bretagne.fr
PS: there are many votes about AH in the past, AH is still alive
(we voted to keep it) and needed by many IPv6 protocols (cf Itojun's mail).
Follow-Ups:
References: