[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AH and ESP Combinations

To: ipsec@ans.net
Subject: AH and ESP Combinations
From: "William Allen Simpson" <bsimpson@morningstar.com>
Date: Thu, 28 Dec 95 04:57:45 GMT
Reply-To: ipsec@ans.net
Sender: ipsec-owner@ans.net

> From: Craig Metz <cmetz@sundance.itd.nrl.navy.mil>
> In message <9512271952.AA19612@uncial.CS.Arizona.EDU>, Hilarie Orman writes:
> >Some combinations may not be possible, due to ambiguities in
> >processing order.  For example, IP-AH-AH or IP-ESP-AH.
>
> 	I think IP-AH-AH is valid, though maybe not very useful. You
> would process those in order, i.e., the first AH would cover the payload,
> and the second AH would cover the first AH and the payload.
>
No, I don't think that is valid.  AH specifically covers the IP header,
including the Length, and it would be pretty hard to figure out the
length used in each.

Presumably, we could define it so that the inner one used the Length
which was appropriate without the outer one, and the outer one used a
Length including both inner and outer.  But, I think it is easier to
outlaw the construct.


> 	I don't think IP-ESP-AH is valid -- it would have to be IP-ESP-IP-AH.
>
The current text allows AH inside without IP, but I think it is
ambiguous.  Let's explicitly disallow this one, too.

We need a major revision of the Architecture, I think.  Only a few
cases, with each clearly specified, would help interoperability.

Bill.Simpson@um.cc.umich.edu
          Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

Prev by Date: Re: ICMP Security Failures
Next by Date: Re: I-D ACTION:draft-krawczyk-keyed-md5-01.txt
Prev by thread: Out of office 12/20-12/27
Next by thread: AH and ESP Combinations
Index(es):
- Main
- Thread