RFC Errata
RFC 7296, "Internet Key Exchange Protocol Version 2 (IKEv2)", October 2014
Note: This RFC has been updated by RFC 7427, RFC 7670, RFC 8247, RFC 8983, RFC 9370
Source of RFC: ipsecme (sec)
Errata ID: 6779
Status: Held for Document Update
Type: Editorial
Publication Format(s) : TEXT
Reported By: warren.wang
Date Reported: 2021-12-08
Held for Document Update by: Benjamin Kaduk
Date Held: 2021-12-11
Section 1.1.1 says:
In this scenario, neither endpoint of the IP connection implements IPsec, but network nodes between them protect traffic for part of the way. Protection is transparent to the endpoints, and depends on ordinary routing to send packets through the tunnel endpoints for processing. Each endpoint would announce the set of addresses "behind" it, and packets would be sent in tunnel mode where the inner IP header would contain the IP addresses of the actual endpoints.
It should say:
In this scenario, neither endpoint of the IP connection implements IPsec, but network nodes between them protect traffic for part of the way. Protection is transparent to the endpoints, and depends on ordinary routing to send packets through the tunnel endpoints for processing. Each tunnel endpoint would announce the set of addresses "behind" it, and packets would be sent in tunnel mode where the inner IP header would contain the IP addresses of the actual endpoints.
Notes:
"Each tunnel endpoint" will make it easy to understand which entity is announcing the set of addresses.