On Feb 19, 2010, at 6:30 AM, Syed Ajim Hussain wrote: > Hi Yoav Nir & All Group Member > > Thanks for your quick response. I think, instead of user takes special > care by adding extra Rule to allow un-encrypted ND traffic(unicast) , > There should be some RFC guidelines, such that IPSEC/IKE protocol itself > can take care. It will be problem in Interop also.
Are you volunteering to write such an RFC? > > Below guidelines can be used. > > 1. if packet is of IPv6 NS/NA types , IPSEC Policy matches , but > Security Association(SA ) not yet established , then send can send > Un- encrypted packets. > > Also Receiver should accept an un-encrypted packet for NS/NA when > IPsec policy matches But No Security Association(SA) presents. As Tero & Steve replied, you probably need some entries in the SPD just to make IKE/IPsec work. ICMP is one case, IPv6 NS/NA/ND is another, and IKE/IPsec itself is yet another. <vendor_hat>Some products automatically configure the necessary extra rules for you, but even if they're invisible in the fancy GUI, those extra rules are still there.</vendor_hat> For now nobody has written a document to describe these, except for the discussion of ICMP in RFC 4301. I'm not sure if such a document is necessary, as any implementor is bound to find out about these requirements very soon. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec