On Fri, 12 Jan 2024, Antony Antony wrote:
For a basic use case, any response would suffice. The essential requirement is the ability to send a request and receive a response from the IPsec peer, which is why I proposed the minimal solution to begin with.
I disagree. VPN protocols are actively attacked by network operators in oppressive regimes. These regimes often will cause odd failures that ensures the enduser keeps trying because if somewhat/sometimes works, which stops those users from trying another protocol that the operator cannot block yet. I could see how those network operators would reply to these probes, but still mess or block the real traffic. I think the signal of "this network can transport this ESP" should come from the endpoints and not be falsifiable.
I noticed the initial draft created a lot of interest and I feel There is clear interest in pinging specific SAs usin encrypted ESP ping. However, I/we currently lack the practical experience to fully define IPsec ping message format. I am hopping we can comeup with minimal spec.
Right. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
