Re: revised IPsec processing model

[Stephen Kent <kent@bbn.com>]

At 16:35 +0900 7/18/03, itojun@iijlab.net wrote:
>  >At 13:57 +0900 7/18/03, itojun@iijlab.net wrote:
>>>   >Here is the new, proposed processing model for IPsec.  Comments
>>>>welcome, of course.
>>>
>>>	the text is a bit unclear whether it is talking about transport mode
>>>	or tunnel mode.
>>>
>>>	"virtual interface" is for tunnel mode only, am i right?  if so,
>>>	you can now remove tunnel mode from FFC2401 - there are bunch of
>>>	tunnel specification available (like RFC2893, RFC1853, RFC2003)
>>>	and tunnel mode will be replaced by "transport mode + tunnelling".
>>>	i love to see the change.
>>>
>>>	if "virtual interface" is used also for transport mode, it will be
>>>	incompatible with IPv6 linklocal address (by changing inbound interface
>>>	for a packet, i.e.  m->m_pkthdr.rcvif in BSD, you change the scope
>>>	zone).  therefore i object to apply "virtual interface" concept
>>>	to transport mode.
>>
>>There is no plan to remove tunnel mode from the spec. The plan was to
>>apply this model for both transport and tunnle modes.
>
>	in that case, i would like to express concern w/ IPv6 linklocal address
>	(the latter paragraph of mine).
>
>itjoun

Could you elaborate a bit more on the nature of the problem? Your 
paragraph above was not enough for me, since I don't understand what 
IPv6 does in this regard absent Ipsec.  Also, in which of the IPv6 
specs is the behavior you are describing defined?

Thanks,

Steve