Yoav Nir (from IPSecME) had raised a point suggesting that RFC4301 doesn't mandate all traffic to go via the IPSec tunnel and one could implement policies such that PTP traffic doesn't go via the tunnel. This imo will not work as we DO want to provide data integrity protection to PTP so that attackers cant modify the packets in transit.
This would entail setting up a separate IPSec NULL-ESP tunnel which I have been given to understand is extremely unscalable and not acceptable. Thus we need to provide some provision to disambiguate PTP packets from the other data packets in the IPSec encrypted stream. Cheers, Manav -- Manav Bhatia, IP Division, Alcatel-Lucent, Bangalore - India _______________________________________________ TICTOC mailing list TICTOC@ietf.org https://www.ietf.org/mailman/listinfo/tictoc
