Subject: Re: Non-IPSec Processing Point for ipf
To: None <tech-net@netbsd.org>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 04/18/2003 11:32:40
-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "itojun" == itojun  <itojun@iijlab.net> writes:
    >> I agree that it is an issue for IPv6. It is not for IPv4.

    itojun> 	it is if you filter packets using incoming interfaces
    itojun> 	information. 

  i.e. ingress filtering?

    itojun> 	the problem is not just "scope" itself (linklocal or
    itojun> 	whatever), but 
    itojun> 	also the scope identification associated with the packet (=
    itojun> 	incoming 
    itojun> 	interface).  anything that changes m->m_pkthdr.rcvif will
    itojun> 	break IPv6. 

  I'm trying to understand this in detail.

    itojun> 	part of the problem is that RFC2401 does not say how the
    itojun> 	IPsec tunnel 
    itojun> 	should be modeled - if RFC2401 does not include tunnel mode

  Yes, I understand this argument. I tend to agree. I also know why it was
written that way. We can incorporate a lot more text in there to fix things.
  We have a chance to fix rfc2401bis now. I'd like to do this.

  How is that GRE doesn't break IPv6 scoping?

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPqAaloqHRg3pndX9AQHLSgQAiHPyIfSMkUv51ERgN1O0Zao2p71JeFMf
7GAOP+aWW8kv35wODacOCjBL7bYh3CDw496nCZVMLHxMBR9Z2+nY1lHwEswi31OK
sXTXpgs2Cke1HBirHd0s0x3ONet1jqMg/58zc/QhVDdlBu41uUJdxQceObEJ/L6l
Lb4KrbpptHw=
=vAM8
-----END PGP SIGNATURE-----