[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: revised IPsec processing model
At 16:35 +0900 7/18/03, itojun@iijlab.net wrote:
> >At 13:57 +0900 7/18/03, itojun@iijlab.net wrote:
>>> >Here is the new, proposed processing model for IPsec. Comments
>>>>welcome, of course.
>>>
>>> the text is a bit unclear whether it is talking about transport mode
>>> or tunnel mode.
>>>
>>> "virtual interface" is for tunnel mode only, am i right? if so,
>>> you can now remove tunnel mode from FFC2401 - there are bunch of
>>> tunnel specification available (like RFC2893, RFC1853, RFC2003)
>>> and tunnel mode will be replaced by "transport mode + tunnelling".
>>> i love to see the change.
>>>
>>> if "virtual interface" is used also for transport mode, it will be
>>> incompatible with IPv6 linklocal address (by changing inbound interface
>>> for a packet, i.e. m->m_pkthdr.rcvif in BSD, you change the scope
>>> zone). therefore i object to apply "virtual interface" concept
>>> to transport mode.
>>
>>There is no plan to remove tunnel mode from the spec. The plan was to
>>apply this model for both transport and tunnle modes.
>
> in that case, i would like to express concern w/ IPv6 linklocal address
> (the latter paragraph of mine).
>
>itjoun
Could you elaborate a bit more on the nature of the problem? Your
paragraph above was not enough for me, since I don't understand what
IPv6 does in this regard absent Ipsec. Also, in which of the IPv6
specs is the behavior you are describing defined?
Thanks,
Steve