Lou Berger writes: > > In section 5.1.2.2 it says that SPI field of the ESP and AH is > > used, but in case the IPsec is configured to use UDP encapsulation > > (rfc3948, i.e., UDP destination port is 4500) there is different > > location for the SPI. Should this document also dig SPI out from > > the UDP encapsulated ESP/AH? > > no. I'll add qualifications that this applies when the "IPv4 Protocol > and IPv6 Next Header Fields" are set to AH and ESP. specifically: > > The rules defined in this section only apply when the > IPv4 Protocol or IPv6 Next Header Field contains the IANA > defined value for AH or ESP. > > > > There is also > > wrapped ESP (rfc5840) with bit different format, i.e., having wrapped ESP > > header before the normal ESP header. Should this be included also? > > This was not discussed in the working group -- so a really great point > to raise in this review. Thank you! > > As it has it's own protocol number, it would be not too hard to add. > That said, there's no reason it couldn't be added later and no one in > the working group raised it. What do you think, is it important to add > it now. If you are not concerned UDP encapsulated IPsec, then I think you can ignore the Wrapped ESP too. I have not seen wrapped ESP in any real use, compared to the UDP encapsulated IPsec, which is very commonly used. Wrapped ESP was meanly meant for enterprice use cases where they want authentication only, but no encryption, as they do want to look inside the packets. UDP encapsulated IPsec is used when there is NATs in play, i.e., most of the IPsec traffic from roadwarriors, i.e. laptops in hotels etc. -- kivinen@xxxxxx -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
