IPv6 nodes use Neighbor Discovery messages for address resolution as defined in RFC 4861. However on an IPv6 node having IPsec implementation, if there is an SPD entry with a selector that covers all IP traffic, Neighbor Discovery messages could potentially be discarded (especially during system reload) and IKE negotiation be initiated. But this would eventually fail as the node haven't yet determined the link-layer address for the given IPv6 address. The RFC 4301 is not explicit about according any 'special' treatment to Neighbor Discovery messages. Like in case of IKE messages, we shall make provisions for ND messages to bypass IPsec protection? Would appreciate feedback/comments from the working group!
Thanks Thamil
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
