interface
Click on the red underlined text to get to the source
... tunnel path is out of scope.
The use of the word "interface" or the phrase "IP interface" refers
to the IPv6 ...
... IP interface" refers
to the IPv6 interface that must be present on any IPv6 node to send
or receive IPv6 packets ...
... or receive IPv6 packets. The use of the phrase "tunnel interface"
refers to the interface that receives the IPv6-in-IPv4 ...
... tunnel interface"
refers to the interface that receives the IPv6-in-IPv4 tunneled
packets over IPv4 ...
... IPv4 ingress filtering, i.e., check whether the packet is received
on a legitimate interface.
o To mitigate threat (2), the decapsulator ...
... This shortcoming can be partially mitigated by IPv6 ingress
filtering, i.e., check that the packet is arriving from the interface
in the direction of the route towards the tunnel endpoint ...
... ingress filtering can be applied in
the tunnel interface. (Transport mode is often also used in other
kinds of tunnels ...
... applying transport mode to a tunnel interface, and as a result this
document recommends transport mode. Note that even though transport ...
... 3. Source address selection depends on the notions of routes and
interfaces. This implies that the reachability to the various
IPv6 ...
... If IPsec tunnel mode SA is not modeled as an interface (e.g., as of
this writing, popular in many open source implementations), the SPD
...
... requirement is also problematic, because almost all
implementations assume addresses are assigned on interfaces (rather
than configured in SPDs) for proper source address ...
... If the IPsec tunnel mode SA is modeled as interface, the traffic that
needs protection can be modeled as routes pointing to the interface ...
... interface, the traffic that
needs protection can be modeled as routes pointing to the interface.
But the second requirement is difficult to satisfy, because the
...
... requirement is easily solved, because IPsec is modeled as an
interface.
In practice, (2) has been solved by protecting all the traffic ...
... IPv6 ingress filtering must be applied on the tunnel interface on all
the packets that pass the inbound IPsec processing.
...
... observe that applying transport mode to a tunnel interface is the
simplest and therefore recommended solution.
...
... limited by enabling ingress filtering on the tunnel interface.
Manual keying must not be used as large amounts of IPv6 ...
... SPD (SSPD)
model (without a tunnel interface) can be made to work, but it has
reduced applicability, and the use of a transport mode tunnel ...
... SPDs": some implementations model the tunnel mode SA as
an IP interface. In this case, an IPsec tunnel interface ...
... IP interface. In this case, an IPsec tunnel interface is
created and used with "any" addresses ...
... Ingress filtering must be separately applied on the
tunnel interface as the IPsec policy checks do not check the IPv6
addresses at all. Routing protocols ...
... 2. "Specific SPDs": some implementations do not model the tunnel
mode SA as an IP interface. Traffic selection is based on
specific SPD ...
... session between two endpoints does not
have an interface (though an implementation may have a common
pseudo-interface ...
... interface (though an implementation may have a common
pseudo-interface for all IPsec traffic), there is no Duplicate
Address Detection ...