Per the Chairs to WG,
Currently for Shim6 the ULIDs are used to encrypt and decrypt the Shim6
packet per discussions on this with the authors for IPsec. This is done
and possible because there is a context associated with the locator pair
from out-of-bound message exchange at each end point to identify the
ULIDs for location pair association. This means the locator pair in the
IP header are not used for IPsec encyrpt and decrypt as is done today
according to IPsec.
This is using out-of-bound signals to set up IPsec and was specifically
rejected as a method for IPsec when defining the IPsec architecture back
in 1995 at IETF Danvers meeting. In addition this type of use of IPsec
should be verified and supported by the IPsec WG within the IETF.
This could be an IETF Last Call objection presented to the IESG for
Shim6 base protocol spec. In addition this part of Shim6 requires much
better writing and explanation to provide absolute clarity of the
situation and mechanics for processing IPsec.
Best,
/jim