[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Authentication using ESP in Transport Mode
Someone wrote:
>The packets would be:
>
> IPv4 ...outer header as it travels the net
> AH ...is this needed?
> ESP ...for firewall/tunnel
> ESP ...for remote to internal node
> original TCP/UDP/etc. ...real data.
I don't think so. I was thinking more like:
IP (source=outside firewall, dest=firewall)
ESP with combined transform
IP (source=outside firewall, dest=inner destination)
AH alone OR ESP with combined transform
inner IP/TCP, IP/UDP, TCP, UDP, etc.
>Has anyone implemented this?
My description above is implemented by the NRL source code if one configures a
"secure IPv4 tunnel" for the outer path and also the user requests ESP
tunnel-mode on the original packet.
>Are we really really sure any existing implementations correctly allow ESP
>inside ESP?
Gee, I hope not. ESP directly inside ESP is bogus.
Ran
rja@inet.org
References: