[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec on tunneling mechanisms

To: "Charles Lynn" <clynn@bbn.com>, "Mujinga, M" <mujingam@cs.ufh.ac.za>
Subject: Re: IPSec on tunneling mechanisms
From: "Mohan Parthasarathy" <mohanp@sbcglobal.net>
Date: Wed, 3 Mar 2004 09:48:28 -0800
Cc: <ipsec@lists.tislabs.com>
References: <20040303135941.865E32051E@wolfe.bbn.com>
Sender: owner-ipsec@lists.tislabs.com



> > Can IPSec secure traffic on IPv6 being tunnelled over the IPv4
> > networks, e.g. using 6to4 etc?
> 
> Yes.  2401[bis] uses examples of IPv4 tunneled in IPv4 and IPv6
> tunneled in IPv6 for ease of description, but the other two cases,
> IPv4 in IPv6 and IPv6 in IPv4 are also valid.  IPsec can be used
> in all four scenarios, and IKEv2 can setup the appropriate SAs.
> 
One related question.. Can we use a single pair of SA for IPv4 tunneled in IPv4
and IPv4 tunneled in IPv6 traffic between the two hosts i.e the traffic selector needs
to specify a mix of IPv4 and IPv6 selectors ? RFC 3554 is not very clear about
this though it supports ID_LIST concept. Though IKev2 supports multiple traffic
selectors in a single negotiation, it does not allow the mix. In section 2.9,

   Two TS payloads appear in each of the messages in the exchange that
   creates a CHILD_SA pair. Each TS payload contains one or more Traffic
   Selectors. Each Traffic Selector consists of an address range (IPv4
   or IPv6), a port range, and an IP protocol ID. 

Is that right ?

thanks
mohan

> Charlie

Follow-Ups:
- Re: IPSec on tunneling mechanisms
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:
- Re: IPSec on tunneling mechanisms
  - From: Charles Lynn <clynn@bbn.com>

Prev by Date: Decorrelated SPD and IKEv2 traffic selectors
Next by Date: Re: IPsec -- new versions of AH and ESP
Previous by thread: Re: IPSec on tunneling mechanisms
Next by thread: Re: IPSec on tunneling mechanisms
Index(es):
- Date
- Thread