[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on IPSO and AH/ESP

To: atkinson@itd.nrl.navy.mil (Ran Atkinson)
Subject: Re: Comments on IPSO and AH/ESP
From: Sean O'Malley <sean@cs.arizona.edu>
Date: Tue, 15 Aug 1995 13:14:33 -0700 (MST)
Cc: ipsec@ans.net
In-Reply-To: <199508151922.AA21519@interlock.ans.net> from "Ran Atkinson" at Aug 15, 95 03:22:44 pm

> One obvious problem with encapsulation is that if IPSO is in the inner
> packet, it can't easily be examined by the routers to perform
> filtering as routers do right now.  This means the same
> interoperability issues with the status quo will also exist in this
> case.
> 

Why not have the IPSO option appear in BOTH IP headers. The 
encapsulated one to be signed and the real IP header to be 
looked at by the router.  Now someone could change the IPSO 
in the real header so that the router would do something 
unnatural to it but unless you are expecting the router to 
understand IPSEC and authenticate the header (which requires 
that it know about IPSEC anyway and hence could compare the 
copies of the IPSO fields to see if they match) this is not 
an issue. At this point saving bits are the least of our 
problems.

Sean O'Malley

Follow-Ups:

Re: Comments on IPSO and AH/ESP

From: Craig Metz <cmetz@sundance.itd.nrl.navy.mil>

References:

Comments on IPSO and AH/ESP

From: atkinson@itd.nrl.navy.mil (Ran Atkinson)

Prev by Date: Comments on IPSO and AH/ESP
Next by Date: Re: Field Variance Analysis
Prev by thread: Comments on IPSO and AH/ESP
Next by thread: Re: Comments on IPSO and AH/ESP
Index(es):
- Main
- Thread