Panwei (William) <william.pan...@huawei.com> wrote: > It seems to me that extending the traceroute by using an ESP packet can > be done right now and has no requirement for the ESP packet format. Any > ESP packets can work with this mechanism, and there is no need for the > designated SPIs.
> The receiver will send back an ICMP response when it receives the ESP > packet with TTL=0, no matter what this ESP packet actually looks > like. The receiver can be the on-path firewalls or routers, and the > final IPsec peer. Yes, that's true up to the final hop. At the final hop, when the destination address is local, then one *might* receive an ICMP Parameter Problem because the SPI is not recognized. Maybe. If it does not, then the sender will send another packet with TTL one larger, and then when it gets no reply try again with two larger, etc. Receiving ESPping reply with SPI=8, would be a positive reply that the path was clear (in both directions!). One thing which the document does not say, and I'm not sure what to say, is what the TTL of the ESP reply ought to be. I was contemplating if it should copy the TTL of the incoming packet. That would weirdly let one traceroute in the reverse direction too, only the ICMPs would go to the receiving host, which is not the host doing the traceeroute, so not very useful actually. -- Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec