Re: RFC 2401 section 5.2.1

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

   On Wed, 22 Nov 2000 itojun@iijlab.net wrote:
   > 	most of routing protocol needs to somehow protect IPv6 source address,
   > 	as they will use (peers') IPv6 source address as the nexthop router
   > 	information...
   
   Many of the death-to-AH enthusiasts also favoring killing transport mode

=> I know... but IMHO the tunnel mode is not very primitive, ie. this is
tunnel plus transport plus clarifications about inner/outer addresses.

   and doing everything with tunnel mode, in which case the inner headers --
   the ones that would be visible to applications -- are fully protected. 
   (Notably, they can be encrypted as well as authenticated, if desired.)

=> VPN is not the only usage of IPsec and transport mode is better for
end-to-end security.

About the tunnel mode, for IPv6 there is an important implementation choice:
to use a policy or to use an interface (with link-local addresses,
neighbor discovery, ...).
   
Regards

Francis.Dupont@enst-bretagne.fr

PS: there are many votes about AH in the past, AH is still alive
(we voted to keep it) and needed by many IPv6 protocols (cf Itojun's mail).

---

Follow-Ups:

• Re: RFC 2401 section 5.2.1
• From: Henry Spencer <henry@spsystems.net>

References:

• Re: RFC 2401 section 5.2.1
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: Question regarding SPD and SA bundles...
• Next by Date: Re: RFC 2401 section 5.2.1
• Prev by thread: Re: RFC 2401 section 5.2.1
• Next by thread: Re: RFC 2401 section 5.2.1
• Index(es):
  • Main
  • Thread