[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authentication using ESP in Transport Mode

To: ipsec@TIS.COM
Subject: Re: Authentication using ESP in Transport Mode
From: Ran Atkinson <rja@inet.org>
Date: Wed, 10 Jul 1996 13:07:31 -0700
In-Reply-To: <9607101438.AA00827@wellspring.us.dg.com>
Newsgroups: cisco.external.ietf.ipsec
Organization: cisco Systems, Inc., Menlo Park, Ca.
Sender: ipsec-approval@neptune.tis.com

Someone wrote:
>The packets would be:
>
>   IPv4                           ...outer header as it travels the net
>     AH                           ...is this needed?
>       ESP                        ...for firewall/tunnel
>         ESP                      ...for remote to internal node
>           original TCP/UDP/etc.  ...real data.

I don't think so.  I was thinking more like:

	IP (source=outside firewall, dest=firewall)
	ESP with combined transform
	IP (source=outside firewall, dest=inner destination) 
	AH alone OR ESP with combined transform
	inner IP/TCP, IP/UDP, TCP, UDP, etc.
	
>Has anyone implemented this?

My description above is implemented by the NRL source code if one configures a
"secure IPv4 tunnel" for the outer path and also the user requests ESP
tunnel-mode on the original packet.

>Are we really really sure any existing implementations correctly allow ESP
>inside ESP?

Gee, I hope not.  ESP directly inside ESP is bogus.  

Ran
rja@inet.org

References:

Re: Authentication using ESP in Transport Mode

From: Rodney Thayer <rodney@sabletech.com>

Prev by Date: Re: Authentication using ESP in Transport Mode
Next by Date: US Patent 5,511,122
Prev by thread: Re: Authentication using ESP in Transport Mode
Next by thread: Re: Authentication using ESP in Transport Mode
Index(es):
- Main
- Thread