[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPv6 Security Last Call Questions





Ran,

	I am reviewing the I-D's to see what is needed to make the current
IBM IPSP implementation conformant. I have a few questions/suggestions :

  1. In the ESP I-D (not DDES-CBC I-D), beginning of section 3 on page 4 :
	"... (ESP) may appear anywhere after the IP header."

     My undersatnding of the entire ESP I-D is that ESP can be placed before
     an encapsulated IP packet or after an IP header but before a transport
     header (e.g, a TCP header). If I am right, then the word "anywhere" is
     a little bit misleading.

  2. In sections 4.1 and 4.2 of the ESP I-D, it says that the receiver MUST
     create a log if there is not security association to process a received
     ESP. I fully agree that logging is the right thing to do. However, I think
     whether to log these events or not should be a local decision and not a
     requirement of the protocol.

  3. If we have ESP between two firewalls in the following configuration :


                     +------+  +----------+   +------+
      <system A>-----+ FW X +--+ Internet +---+ FW Y +------<system B>
                     +------+  +----------+   +------+

     If the goal is to protect communication between A and B, is it possible
     to use transport-mode ESP between FW's X and Y ? If the answer is YES,
     then I think X and Y must reconstruct IP packets after decapsulation.

  4. On computing "Authentication Data" of AH on a IPv4 datagram, what are the
     "invariant fields" that must be included in the computation ? Is the
     following list exclusive :

          version, ID, protocol, src and dest addresses.

     I am not an expert on routers; I am not sure if the DF flag is on then
     the 3-bit flags field and 13-bit fragment offset field are also invariant.

  5. If AH is computed on a to-be-encrypted IP datagram, can the entire IP
     datagram be considered "invariant" ?