On Thu, 17 Apr 2003 itojun@iijlab.net wrote:

> additional interface breaks IPv6 scoping.  please don't do that.

If these are only "taps" to which you cannot assign an address and you
can't send a packet, does it still break scoping?

But there are other issues that come up as I start to look at the input
code. It looks to me as if you can do multiple levels of encapsulation,
so if a user specifies "esp/tunnel/X-Y/require ah/tunnel/X-Y/require" as
his SPD, were going to get a packet that looks like:

    +-----+----+-----+-----+-----+---------+
    | IP1 | AH | IP2 | ESP | IP3 | payload |
    +-----+----+-----+-----+-----+---------+

In this case, most people are going to want to see IP1 at the "real"
interface and IP3 at the "decrypted" interface. So I guess once you strip
off an IPSec header, you don't pass it on to the packet filter if there's
another IPSec header afterwards with tunnel mode turned on.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC