[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ICMP Security Failures



In message <199512280734.CAA18874@hiway1.exit109.com>, David Wagner writes:
>Craig Metz <cmetz@sundance.itd.nrl.navy.mil> writes:
>>	I think IP-AH-AH is valid, though maybe not very useful. You
>>would process those in order, i.e., the first AH would cover the payload,
>>and the second AH would cover the first AH and the payload.
>>
>>	I don't think IP-ESP-AH is valid -- it would have to be >IP-ESP-IP-AH.
>
>No, sadly, I don't think IP-AH-AH is safe to use with today's AH spec.

	I never said it's safe. A layered implementation that fixes up the
IP header as it goes along the processing path could do it, though. There's
nothing explicitly saying in the spec that it could or couldn't be done.
(There's some haze here, but we really only want an AH to be able to cover an
IP header that actually exists on the wire, not some possible fabrication of
a stack)

									-Craig


References: