[Swan-dev] break down of 5.0's potential blockers

[Bill Atwood]

Paul, Brady,

On 12/18/2023 9:42 PM, Paul Wouters wrote:
> * 4a936b2aad - The XFRM address scope must be global (12 hours ago) 
> <Brady Johnson> 

While this constraint must be true for the current XFRM (it does not 
understand that Link-Local addresses must have an interface associated 
with them), the enforcement of the constraint should be removed when 
XFRM is updated and this problem is fixed.  IPsec tunnels with LL 
endpoints are *required* by the ANIMA RFCs (specifically RFC 8994, 
Section 6.8.3.1).  Perhaps what is needed here is a configuration option.

    Bill Atwood

RFC8994 says:

6.8.3.1.  Native IPsec

    An ACP node that is supporting native IPsec MUST use IPsec in tunnel
    mode, negotiated via IKEv2, and with IPv6 payload (e.g., ESP Next
    Header of 41).  It MUST use local and peer link-local IPv6 addresses
    for encapsulation.  Manual keying MUST NOT be used, see Section 6.2.
    Traffic Selectors are:

    TSi = (0, 0-65535, :: - FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF)
    TSr = (0, 0-65535, :: - FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF)

    IPsec tunnel mode is required because the ACP will route and/or
    forward packets received from any other ACP node across the ACP
    secure channels, and not only its own generated ACP packets.  With
    IPsec transport mode (and no additional encapsulation header in the
    ESP payload), it would only be possible to send packets originated by
    the ACP node itself because the IPv6 addresses of the ESP must be the
    same as that of the outer IPv6 header.

----