On 25/10/16(Tue) 22:13, Markus Friedl wrote: > > > Am 25.10.2016 um 17:13 schrieb Mike Belopuhov <[email protected]>: > > > > > > There are apparently some discussions in infomational RFCs regarding > > this issue. For instance https://tools.ietf.org/html/rfc3756 > > <https://tools.ietf.org/html/rfc3756> states: > > > > More specifically, the currently used key agreement protocol, IKE, > > suffers from a chicken-and-egg problem [8]: one needs an IP address > > to run IKE, IKE is needed to establish IPsec SAs, and IPsec SAs are > > required to configure an IP address. > > > > Which goes one step further: how to protect all ND in general, but is > > still applicable in our situation. There were attempts to protect ND > > in alternative way, e.g. SEND (https://tools.ietf.org/html/rfc3971 > > <https://tools.ietf.org/html/rfc3971>). > > FreeBSD has picked up on it and has had a SoC project which seems to > > be integrated right now: > > > > https://wiki.freebsd.org/SOC2009AnaKukec > > <https://wiki.freebsd.org/SOC2009AnaKukec> > > https://www.freebsd.org/cgi/man.cgi?query=send&sektion=4 > > <https://www.freebsd.org/cgi/man.cgi?query=send&sektion=4> > > > > Would it be possible for us to disable the check and always set saddr6 > > to NULL for now? > > Fine w/me. > > Or we could check if the packet has been IPsec encapsulated > and set saddr6 to NULL in this case.
Is this fixed? Anything we're still waiting for?
