[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ICMP Security Failures

To: daw@cs.berkeley.edu
Subject: Re: ICMP Security Failures
From: Phil Karn <karn@qualcomm.com>
Date: Fri, 22 Dec 1995 15:25:02 -0800 (PST)
Cc: ipsec@ans.net
In-Reply-To: <199512200726.CAA03264@hiway1.exit109.com> (daw@cs.berkeley.edu)

>Tunnelling is a very useful mode.  It's most useful for routers,
>bump-in-the-stack encryptors, IP forwarding (e.g. IP ``remailers''),
>and perhaps also firewalls...but I don't think the utility is limited
>to those situations.

Absolutely!

>It's important that implementors realize they must support this mode
>of operation.  The tunnel/transport modes aren't orthogonal, from
>the implementation perspective: to support tunnel-mode, the IPSEC
>modules must be re-entrant, and must deal with remembered security
>state when processing IP headers.  Implementors probably won't think
>to support all this if it's not described explicitly in the spec.

Again, I agree. Your point about re-entrancy is well taken. Perhaps we
could word the requirement that way. We should specifically require
that receiving implementations accept packets with arbitrarily nested
AH/ESP/tunnel headers, even if they can't generate them. Exact
language is open to discussion.

Phil

Prev by Date: Re: ICMP Security Failures
Next by Date: Re: AH/ESP
Prev by thread: Re: ICMP Security Failures
Next by thread: Re: ICMP Security Failures
Index(es):
- Main
- Thread