On Sun, Oct 23, 2022 at 9:37 AM Paul Wouters <p...@nohats.ca> wrote: > On Oct 21, 2022, at 23:50, Erik Kline <ek.i...@gmail.com> wrote: > > > > > > You could also just say that ASBRs are presumed to be communicating > within a well-managed environment, are often zero or one hops away from one > another, and that this environment MUST accommodate the larger MTU for > tunnel-mode IPsec encapsulation. > > If it’s such a trusted one hop, why do you need IPsec to signal a traffic > label? >
Seems to me like "trusting" that the MTU can be set to a useful value and trusting the origin of IP addresses of packets forwarded across the link are two very different things. But I am not a SEC AD. :-)
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
