[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Questions on AH and ESP for IPv4

To: ipsec@ans.net
Subject: Questions on AH and ESP for IPv4
From: Robert Glenn <glenn@snad.ncsl.nist.gov>
Date: Wed, 18 Oct 95 14:11:52 EDT
Cc: glenn@snad.ncsl.nist.gov


Two issues follow, one dealing with fragmentation, the Authentication Header, and 
routers, the other dealing with the ESP Tunnel mode and TTLs.

Page 2 of the RFC1826 says "Also, Path MTU Discovery MUST be used when
intermediate authentication of the Authentication Header is desired and
IPv4 is in use because with this method it is not possible to
authenticate a fragment of a packet [MD90] [Kno93]".  And Page 8 says
"IPv4 Implementations SHOULD use Path MTU Discovery when the IP
Authentication Header is being used [MD90]".

There seems to be a minor ambiguity between pages 2 and 8, but my
interpretation of this is that AH *hosts* SHOULD use PMTU and AH routers
MUST use PMTU.  I propose that the sentence on page 8 should be chopped
and on page 2 it should read:  "Also, Path MTU Discovery SHOULD be used
in conjunction with the Authentication header in IPv4 hosts and MUST be
used when intermediate authentication of the Authentication Header is
desired in IPv4 routers because with this method it is not possible to
authenticate a fragment of a packet [MD90] [Kno93]"

It's a minor change, but I think it is less ambiguous.

I don't have PMTU and of course my AH router code breaks when
fragmentation begins.  Also, this is an area that is inconsistant with
the ESP spec.  ESP would suffer the same problem, except there is the
ESP Tunnel mode that solves the problem.  Until PMTU is better
deployed, would it be valuable to have either an AH Tunnel mode or a
more generic IPSEC Tunnel mode?

Next topic deals with the ESP Tunnel mode.  On the clear IPv4 packet,
what should the TTL be set to?  My initial take was to set it to the
value in the encrypted packet, but later decided to set it to MAXTTL
and let the other end of the tunnel worry about the real TTL.  It makes
for some interesting observations when using traceroute.   Also should
this issue be mentioned in the spec. or is it just an implementation
issue?

Rob Glenn

Rob.Glenn@nist.gov

Follow-Ups:

Questions on AH and ESP for IPv4

From: Karl Fox <karl@MorningStar.Com>

Prev by Date: Photuris // entities
Next by Date: Tunnel mode
Prev by thread: I-D ACTION:draft-ietf-ipsec-skip-03.txt
Next by thread: Questions on AH and ESP for IPv4
Index(es):
- Main
- Thread