[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec on tunneling mechanisms
> > Can IPSec secure traffic on IPv6 being tunnelled over the IPv4
> > networks, e.g. using 6to4 etc?
>
> Yes. 2401[bis] uses examples of IPv4 tunneled in IPv4 and IPv6
> tunneled in IPv6 for ease of description, but the other two cases,
> IPv4 in IPv6 and IPv6 in IPv4 are also valid. IPsec can be used
> in all four scenarios, and IKEv2 can setup the appropriate SAs.
>
One related question.. Can we use a single pair of SA for IPv4 tunneled in IPv4
and IPv4 tunneled in IPv6 traffic between the two hosts i.e the traffic selector needs
to specify a mix of IPv4 and IPv6 selectors ? RFC 3554 is not very clear about
this though it supports ID_LIST concept. Though IKev2 supports multiple traffic
selectors in a single negotiation, it does not allow the mix. In section 2.9,
Two TS payloads appear in each of the messages in the exchange that
creates a CHILD_SA pair. Each TS payload contains one or more Traffic
Selectors. Each Traffic Selector consists of an address range (IPv4
or IPv6), a port range, and an IP protocol ID.
Is that right ?
thanks
mohan
> Charlie