Re: Remove tunnel mode from ipsec-tunnels-02?

[Pekka Savola <pekkas@netcore.fi>]

Folks,

Unless we hear more comments on this, we propose to go forward with 
the initial suggestion of removing tunnel mode from the main 
specification.

If you have comments, please respond within a week.

For the authors,

On Wed, 12 Jul 2006, Pekka Savola wrote:
> As proposed at the v6ops meeting [0], the authors of 
> draft-ietf-v6ops-ipsec-tunnels-02 propose to remove support for tunnel mode 
> in this particular context (securing v6-in-v4 configured tunnels).
>
> This is due to issues spotted by Francis [1] and Pasi [2].  Generic "::/0 -> 
> ::/0" selectors could not be made to work without interface-specific SPDs, 
> and those cannot be signalled in IKE (that's run on top of IPv4) when the 
> tunnel would be IPv6 in a standardized way.  Generic selectors are required 
> for link-local traffic (e.g., ND) to work on the tunnel.
>
> If we go through with this proposed resolution, 
> draft-ietf-v6ops-ipsec-tunnels would only describe transport mode.
>
> Comments are welcome.
>
> [0] http://www3.ietf.org/proceedings/06jul/slides/v6ops-4.pdf
> [1] http://ops.ietf.org/lists/v6ops/v6ops.2006/msg00159.html
> [2] http://ops.ietf.org/lists/v6ops/v6ops.2006/msg00230.html
>
> For the authors of draft-ietf-v6ops-ipsec-tunnels-02,

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings