Re: Some comments on draft-tschofenig-v6ops-secure-tunnels

[Eric Vyncke <evyncke@cisco.com>]

Sorry for late reply to your reply ;)

At 03:21 10/03/2005 +0200, Pekka Savola wrote:

...

>>>5) another use case scenario can be (and actually I've seen it deployed): using this IPsec protected IPv6 tunnel as a back-up link of a 'real native' IPv6 link in order to provide resiliency. This of course requires routing protocols hence the use of the 'transport mode' variant.
>>
>>I don't know whether it is relevant to the current document or not. I will let Pekka answer this.
>
>(This is my opinion only, of course. :)
>
>As far as I understand, the above is only an issue if the tunnel mode SA is not modelled as an interface (based on the touch-vpn, now RFC3884, right?  If it's an interface, it could be used to run a routing protocol (as long as it's not IS-IS :-) just fine?

Correct indeed. Except, that AFAIK IPsec/IKEv2 do not allow multicast traffic over ESP and as most routing protocols rely on multicast to discover neighbour. But, this is a kind of minor detail since a lot of implementations allow it.

...

>So, I guess we already have all the technical bases covered (unless I'm missing something?), and the issue is just whether this usage scenario is should be explicitly mentioned in the draft.  I'd say not, because this seems to be a much more specific example case than the ones we currently have in the draft, and listing a specific one might be misleading.

It is indeed a variation of router to router scenario as a parallel link. I would not call this a specific case but a variation.

Whether it is worth to add is another question of course ;-)

Hope it helps

-eric