[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv6 Neighbour Solicitation messages and IPsec
In your previous mail you wrote:
I'm wondering if there are any documents that specify rules regarding the
use of IPsec in the context of IPv6 Neighbor Solicitations and possibly
other ICMPv6 messages.
=> there was a nice presentation by Dan McDonald at a previous IETF about
this (Adelaide, 47th, "Link shared secrets for ND") but no draft...
I've run in to an interesting chicken-and-egg problem in this area as I'm
developing an IPv6 IPsec implementation.
=> yes, ND should bypass the IPsec policy in some cases, for instance
if the policy applies to any protocol, including ICMPv6.
Also, the SPD requirements outlined in this
RFC do not seem to be general enough to distinguish e.g. Neighbour
Solicitations from Echo Requests, making it hard to define the policies
in a suitable way.
=> there is a discussion about the PF_KEY API in order to solve this issue
(is this API good for SPD setup is another point).
Can some folks who have done this before let me know how this should work,
point to some existing documentation, or perhaps correct my understanding
of the ICMPv6 operations.
=> open issue, near no work about it!