On Mar 31, 2011, at 6:39 PM, Bhatia, Manav (Manav) wrote: > Yoav Nir (from IPSecME) had raised a point suggesting that RFC4301 doesn't > mandate all traffic to go via the IPSec tunnel and one could implement > policies such that PTP traffic doesn't go via the tunnel. This imo will not > work as we DO want to provide data integrity protection to PTP so that > attackers cant modify the packets in transit. > > This would entail setting up a separate IPSec NULL-ESP tunnel which I have > been given to understand is extremely unscalable and not acceptable. > > Thus we need to provide some provision to disambiguate PTP packets from the > other data packets in the IPSec encrypted stream. > > Cheers, Manav
If you do not consider it a threat, that nodes along the network would be able to identify PTP packets, then yes, you may want to get one of the 4 reserved bits on the WESP header. If you do want that, please ask the IPsecME working group to do this soon, because our last drafts are now in IETF last call, and the working group might be closed in 3 months. Yoav _______________________________________________ TICTOC mailing list TICTOC@ietf.org https://www.ietf.org/mailman/listinfo/tictoc