Subject: Re: Non-IPSec Processing Point for ipf
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
From: None <itojun@iijlab.net>
List: tech-net
Date: 04/18/2003 11:48:03
> > additional interface breaks IPv6 scoping. please don't do
> > that.
>
> Yes, you've said this many times in the past.
>
> I agree that it is an issue for IPv6. It is not for IPv4.
it is if you filter packets using incoming interfaces information.
> I would like to get past this. Can't we create an interface that has an
>extremely local scope (a la loopback), or some other "undefined" scope?
the problem is not just "scope" itself (linklocal or whatever), but
also the scope identification associated with the packet (= incoming
interface). anything that changes m->m_pkthdr.rcvif will break IPv6.
part of the problem is that RFC2401 does not say how the IPsec tunnel
should be modeled - if RFC2401 does not include tunnel mode in the
spec and we are to use GRE/whatever with transport mode, the problem
should have never happened. i don't like the way RFC2401 is specified.
see draft-touch-ipsec-vpn-05.txt.
itojun