RFC 7296, "Internet Key Exchange Protocol Version 2 (IKEv2)", October 2014

Note: This RFC has been updated by RFC 7427, RFC 7670, RFC 8247, RFC 8983, RFC 9370

Errata ID: 6779
Status: Held for Document Update
Type: Editorial
Publication Format(s) : TEXT
Reported By: warren.wang
Date Reported: 2021-12-08
Held for Document Update by: Benjamin Kaduk
Date Held: 2021-12-11

Section 1.1.1 says:

   In this scenario, neither endpoint of the IP connection implements
   IPsec, but network nodes between them protect traffic for part of the
   way.  Protection is transparent to the endpoints, and depends on
   ordinary routing to send packets through the tunnel endpoints for
   processing.  Each endpoint would announce the set of addresses
   "behind" it, and packets would be sent in tunnel mode where the inner
   IP header would contain the IP addresses of the actual endpoints.

It should say:

   In this scenario, neither endpoint of the IP connection implements
   IPsec, but network nodes between them protect traffic for part of the
   way.  Protection is transparent to the endpoints, and depends on
   ordinary routing to send packets through the tunnel endpoints for
   processing.  Each tunnel endpoint would announce the set of addresses
   "behind" it, and packets would be sent in tunnel mode where the inner
   IP header would contain the IP addresses of the actual endpoints.

Notes:

"Each tunnel endpoint" will make it easy to understand which entity is announcing the set of addresses.

Report New Errata