On Sun, 23 Oct 2022, Erik Kline wrote:
> You could also just say that ASBRs are presumed to be communicating within a well-managed environment, are often zero or one hops away from one another, and that this environment MUST accommodate the larger MTU for tunnel-mode IPsec encapsulation.If it’s such a trusted one hop, why do you need IPsec to signal a traffic label? Seems to me like "trusting" that the MTU can be set to a useful value and trusting the origin of IP addresses of packets forwarded across the link are two very different things. But I am not a SEC AD. :-)
:-) It sounds like we are talking about a dedicated line, so one could set the MTU to 9000 perhaps and not worry. But then one can also just use IPsec ESP NULL (or hack, even real IPsec encryption). I am a bit confused about the goal/purpose vs the solution space (but will admit my understanding so far comes from the messages on the list and not yet of me going through the document, which I plan to do over the next couple of days). Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
