[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec on tunneling mechanisms
> In your previous mail you wrote:
>
> One related question.. Can we use a single pair of SA for IPv4
> tunneled in IPv4 and IPv4 tunneled in IPv6 traffic between the two
> hosts i.e the traffic selector needs to specify a mix of IPv4 and IPv6
> selectors ?
>
> => perhaps you mean IPv4 tunneled in IPv4 and IPv6 tunneled in IPv4?
Yes.
> In your description the multiple version addresses are external
> IKE doesn't know to do this kind of things...
>
Correct. Assume that the external addresses that IKE runs on are IPv4 and i just want a
mix of traffic selectors.
> Though IKev2 supports multiple traffic selectors in a single
> negotiation, it does not allow the mix. In section 2.9,
>
> => I don't read the section 2.9 this way.
>
> Two TS payloads appear in each of the messages in the exchange that
> creates a CHILD_SA pair. Each TS payload contains one or more Traffic
> Selectors. Each Traffic Selector consists of an address range (IPv4
> or IPv6), a port range, and an IP protocol ID.
>
> => so where is the constraint?
>
It says IPv4 or IPv6 above.
> Is that right ?
>
> => I believe it isn't. But note that an implementation can support only
> one TS...
>
Sure. But i don't think the spec is clear on this issue.
-mohan
> Francis.Dupont@enst-bretagne.fr