Hi, Toerless. I trimmed below most of your background info.
> On 24 Feb 2020, at 21:50, Toerless Eckert <t...@cs.fau.de> wrote: > > [hope its fine to cross-post ipsec and ipsecme given how one is concluded, > but may have > more long-time subscribers] ipsec is this group’s mailing list. I don’t know that there even is an ipse...@ietf.org <mailto:ipse...@ietf.org> > We're looking for opinions about an IPsec profile for "Autonomic Control > Plane" > draft-ietf-anima-autonomic-control-plane, or specifically 6.7.1.1.1 of: > > https://raw.githubusercontent.com/anima-wg/autonomic-control-plane/be056679b9c9cac8c2d664958a3b91585b010a83/draft-ietf-anima-autonomic-control-plane/draft-ietf-anima-autonomic-control-plane.txt > > Quick background so you do not need to read anything more than 6.7.1.1.1: I read a little more. Hope you don’t mind. The profile seems fine to me. There is one thing that I think is missing. The profile specifies that the ACP nodes should use tunnel mode (when GRE is not used), because: IPsec tunnel mode is required because the ACP will route/forward packets received from any other ACP node across the ACP secure channels, and not only its own generated ACP packets. With IPsec transport mode, it would only be possible to send packets originated by the ACP node itself. OK. When IKEv2 is used to negotiate tunnel-mode SAs (and transport mode, but that’s not important here) they need an IPsec policy that specifies traffic selectors so that IKEv2 can specify traffic selectors. Nowhere in your draft do I see a specification of what traffic selectors need to be negotiated. If I understand the above paragraph correctly, both the source of the packet and the destination can be the IP address of any ACP node, neither of which are required to be the tunnel endpoints. This implies some sort of generic traffic selector. The draft should specify this, IMO Yoav
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec