[Swan-dev] break down of 5.0's potential blockers
Bill Atwood
williamatwood41 at gmail.com
Tue Dec 19 16:31:36 EET 2023
Paul, Brady,
On 12/18/2023 9:42 PM, Paul Wouters wrote:
> * 4a936b2aad - The XFRM address scope must be global (12 hours ago)
> <Brady Johnson>
While this constraint must be true for the current XFRM (it does not
understand that Link-Local addresses must have an interface associated
with them), the enforcement of the constraint should be removed when
XFRM is updated and this problem is fixed. IPsec tunnels with LL
endpoints are *required* by the ANIMA RFCs (specifically RFC 8994,
Section 6.8.3.1). Perhaps what is needed here is a configuration option.
Bill Atwood
RFC8994 says:
6.8.3.1. Native IPsec
An ACP node that is supporting native IPsec MUST use IPsec in tunnel
mode, negotiated via IKEv2, and with IPv6 payload (e.g., ESP Next
Header of 41). It MUST use local and peer link-local IPv6 addresses
for encapsulation. Manual keying MUST NOT be used, see Section 6.2.
Traffic Selectors are:
TSi = (0, 0-65535, :: - FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF)
TSr = (0, 0-65535, :: - FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF)
IPsec tunnel mode is required because the ACP will route and/or
forward packets received from any other ACP node across the ACP
secure channels, and not only its own generated ACP packets. With
IPsec transport mode (and no additional encapsulation header in the
ESP payload), it would only be possible to send packets originated by
the ACP node itself because the IPv6 addresses of the ESP must be the
same as that of the outer IPv6 header.
----
More information about the Swan-dev
mailing list