[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SPD issues
> From: Tero Kivinen <kivinen@ssh.fi>
> This actually brings one question I had earlier up. In IPv6 which
> addresses is used when matching against SPD in case there are routing
> headers in the packet? Final destination, next hop destination etc. I
> think the current RFC does not say anything about those, and some
> implementations might check only the routing header final destination
> address and some might use the next hop destination.
For me, it is the next hop destination. Note, however that if SG is
also a router, there will be two cases for incoming packet with
routing header:
a) ip dst = routers own address => process routing header, IPSEC will
apply to next hop. (which may be the router itself again).
b) ip dst != routers own address, routing header is NOT processed,
next hop is searched based on the ip dst address. Again, IPSEC apply
to next hop.
This is as it should be. Do not mess with it!