traffic
Click on the red underlined text to get to the source
... security association (SA) is established
to protect the traffic defined by (IPv4-source, IPv4-dest, protocol =
...
... tunnel mode, the IPsec SA is established to protect the traffic
defined by (IPv6-source, IPv6 ...
... IKEv1 is used, then multiple SAs
need to be set up, one for each traffic selector.
Note that the existing implementations based on IKEv1 ...
... IPsec is used to protect the IPv6
traffic (inner header) for the scenarios listed in Section 3.
...
... link-local
(e.g., Neighbor Discovery) and multicast traffic. Without this,
an attacker can pollute the IPv6 ...
... tunnels, the source and destination addresses
of the traffic could come from a wide range of prefixes that are
...
... this writing, popular in many open source implementations), the SPD
entries for protecting all traffic between the two endpoints must be
described. Evaluating against the requirements ...
... requirements above, all link-local
traffic multicast traffic would need to be identified, possibly
resulting in a long list of SPD ...
... link-local
traffic multicast traffic would need to be identified, possibly
resulting in a long list of SPD entries. The second requirement ...
... SPD entries. The second requirement is
difficult to satisfy, because the traffic needing protection is not
necessarily (e.g., router-to-router tunnel ...
... IPsec tunnel mode SA is modeled as interface, the traffic that
needs protection can be modeled as routes pointing to the interface.
...
... But the second requirement is difficult to satisfy, because the
traffic needing protection is not necessarily known a priori. The
third requirement ...
... interface.
In practice, (2) has been solved by protecting all the traffic
(::/0), but no interoperable implementations support this feature.
For a detailed list of issues pertaining to this, see [VLINK ...
... tunnel is a much simpler
solution and also easily protects link-local and multicast traffic,
we do not recommend using tunnel mode in this context ...
... applying transport mode to protect tunnel traffic that spans only a
part of an end-to-end path.
...
... and protocol value 41 as phase 2 identities. With IKEv2, the traffic
selectors are used to carry the same information.
...
...
Manual keying must not be used as large amounts of IPv6 traffic may
be carried over the tunnels and doing so would make it easier for an
...
... integrity is
discouraged. ESP furthermore provides limited traffic flow
confidentiality.
IPsec ...
... addresses ("::/0 <-> ::/0" ) as IPsec
traffic selectors while setting up the SA. Though this allows
...
... setting up the SA. Though this allows
all traffic between the two nodes to be protected by IPsec, the
...
... IPsec, the
routing table would decide what traffic gets sent over the
tunnel. Ingress filtering ...
... SPDs": some implementations do not model the tunnel
mode SA as an IP interface. Traffic selection is based on
specific SPD entries, e.g., "2001:db8:1::/48 <-> 2001:db8:
...
... pseudo-interface for all IPsec traffic), there is no Duplicate
Address Detection (DAD), Multicast Listener Discovery ...
... Ingress filtering is performed automatically by
the IPsec traffic selectors.
Ingress filtering ...
... IPV6-TEP2
as phase 2 identities. With IKEv2, the traffic selectors are used to
carry the same information.
...
... networks. A detailed description of the problem and
requirements of IPsec-protected data traffic traversing a NAT is
provided in [RFC3715 ...