Hi, Syed Ajim. In future please expand acronyms, because while it's safe to assume that anyone reading this list knows what an SA is, not all of us are proficient in IPv6 terminology.
Having said that, policies usually have exceptions for protocols, that need to run in the clear. IKE is an example of such a protocol. Also, when IPsec is between two hosts that are not on the same subnet, you don't have a problem - since your local network is not in the policy, all the neighbor discovery/solicitation/advertisement are in the clear anyway. You do have a problem when your IPsec peer is on the same subnet. In that case, you need to have an exception in your policy, that makes these protocols non-protected. Alternatively, you can get the peer address from a third party (such as DNS), and use that for IKE, ignoring the IPv6 way of doing discovery. (IKE still needs an exception) Then the whole neighbor protocols will run over IPsec like they should. This might require some messing around with the IPv6 stack. -----Original Message----- From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Syed Ajim Hussain Sent: Thursday, February 18, 2010 10:41 AM To: ipsec@ietf.org Subject: [IPsec] IKE6 Negitaion when Peer Address ND not yet started. Hi All IPv6 Peer1 ------------------ IPv6 Peer 2 I have one question, for IKE IPv6 Solution. Assume in IPsec6 Policy I have configure Source IPv6 Address and Destination IPv6 Address as Traffic selector, now IPSEC SA is not yet establish. When IKE Triggers, SA Negotiation and that time for peer address, ND not yet done. In this condition, Initiator starts NS to resolve Peer Address, Other end replies with NA, which is a Uncast packet Now this unicast packet is comes under IPsec6 policy, So Peer2 can not send it un- encrypted, and for encryption SA is not yet ready. Even if Peer2 sends un-encrypted packets , this NA packet may drop in Peer1, as it matches IPsec Policy and still packet is un-encrypted. So, Is there any standard to handle such scenario? Else we need to update standard to Support IPSEC6/IKE6. With Regards Syed Ajim _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
