[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPv6 Security Last Call Questions
Ran,
I am reviewing the I-D's to see what is needed to make the current
IBM IPSP implementation conformant. I have a few questions/suggestions :
1. In the ESP I-D (not DDES-CBC I-D), beginning of section 3 on page 4 :
"... (ESP) may appear anywhere after the IP header."
My undersatnding of the entire ESP I-D is that ESP can be placed before
an encapsulated IP packet or after an IP header but before a transport
header (e.g, a TCP header). If I am right, then the word "anywhere" is
a little bit misleading.
2. In sections 4.1 and 4.2 of the ESP I-D, it says that the receiver MUST
create a log if there is not security association to process a received
ESP. I fully agree that logging is the right thing to do. However, I think
whether to log these events or not should be a local decision and not a
requirement of the protocol.
3. If we have ESP between two firewalls in the following configuration :
+------+ +----------+ +------+
<system A>-----+ FW X +--+ Internet +---+ FW Y +------<system B>
+------+ +----------+ +------+
If the goal is to protect communication between A and B, is it possible
to use transport-mode ESP between FW's X and Y ? If the answer is YES,
then I think X and Y must reconstruct IP packets after decapsulation.
4. On computing "Authentication Data" of AH on a IPv4 datagram, what are the
"invariant fields" that must be included in the computation ? Is the
following list exclusive :
version, ID, protocol, src and dest addresses.
I am not an expert on routers; I am not sure if the DF flag is on then
the 3-bit flags field and 13-bit fragment offset field are also invariant.
5. If AH is computed on a to-be-encrypted IP datagram, can the entire IP
datagram be considered "invariant" ?