> Am 25.10.2016 um 17:13 schrieb Mike Belopuhov <[email protected]>: > > > There are apparently some discussions in infomational RFCs regarding > this issue. For instance https://tools.ietf.org/html/rfc3756 > <https://tools.ietf.org/html/rfc3756> states: > > More specifically, the currently used key agreement protocol, IKE, > suffers from a chicken-and-egg problem [8]: one needs an IP address > to run IKE, IKE is needed to establish IPsec SAs, and IPsec SAs are > required to configure an IP address. > > Which goes one step further: how to protect all ND in general, but is > still applicable in our situation. There were attempts to protect ND > in alternative way, e.g. SEND (https://tools.ietf.org/html/rfc3971 > <https://tools.ietf.org/html/rfc3971>). > FreeBSD has picked up on it and has had a SoC project which seems to > be integrated right now: > > https://wiki.freebsd.org/SOC2009AnaKukec > <https://wiki.freebsd.org/SOC2009AnaKukec> > https://www.freebsd.org/cgi/man.cgi?query=send&sektion=4 > <https://www.freebsd.org/cgi/man.cgi?query=send&sektion=4> > > Would it be possible for us to disable the check and always set saddr6 > to NULL for now?
Fine w/me. Or we could check if the packet has been IPsec encapsulated and set saddr6 to NULL in this case.
