Re: IPSec on tunneling mechanisms

["Mohan Parthasarathy" <mohanp@sbcglobal.net>]

> In your previous mail you wrote:
> 
>    One related question.. Can we use a single pair of SA for IPv4
>   tunneled in IPv4 and IPv4 tunneled in IPv6 traffic between the two
>   hosts i.e the traffic selector needs to specify a mix of IPv4 and IPv6
>   selectors ?
> 
> => perhaps you mean IPv4 tunneled in IPv4 and IPv6 tunneled in IPv4?

Yes. 

> In your description the multiple version addresses are external
> IKE doesn't know to do this kind of things...
> 
Correct. Assume that the external addresses that IKE runs on are IPv4 and i just want a
mix of  traffic selectors.

>    Though IKev2 supports multiple traffic selectors in a single
>   negotiation, it does not allow the mix. In section 2.9,
>    
> => I don't read the section 2.9 this way.
> 
>       Two TS payloads appear in each of the messages in the exchange that
>       creates a CHILD_SA pair. Each TS payload contains one or more Traffic
>       Selectors. Each Traffic Selector consists of an address range (IPv4
>       or IPv6), a port range, and an IP protocol ID. 
>    
> => so where is the constraint?
> 
It says IPv4 or IPv6 above.

>      Is that right ?
>    
> => I believe it isn't. But note that an implementation can support only
> one TS...
> 
Sure. But i don't think the spec is clear on this issue.

-mohan

> Francis.Dupont@enst-bretagne.fr