>Gee, I hope not. ESP directly inside ESP is bogus. > >Ran Hummm ... no, ESP inside ESP should be a fairly common case when two workstations with ESP communicate through two encrypting firewalls using ESP. I assume that you were thinking of ESP inside ESP with no intermedate encrypting systems as a bogus example... Paul -------------------------------------------------------------- Paul Lambert Director of Security Products Oracle Corporation Phone: (415) 506-0370 500 Oracle Parkway, Box 659410 Fax: (415) 413-2963 Redwood Shores, CA 94065 palamber@us.oracle.com !!! Still hiring, send resumes to: palamber@us.oracle.com !!! --------------------------------------------------------------
-- BEGIN included message
- To: ipsec@tis.com
- Subject: Re: Authentication using ESP in Transport Mode
- From: "Ran Atkinson " <ipsec-approval@neptune.tis.com>
- Date: 10 Jul 96 13:07:31
Someone wrote: >The packets would be: > > IPv4 ...outer header as it travels the net > AH ...is this needed? > ESP ...for firewall/tunnel > ESP ...for remote to internal node > original TCP/UDP/etc. ...real data. I don't think so. I was thinking more like: IP (source=outside firewall, dest=firewall) ESP with combined transform IP (source=outside firewall, dest=inner destination) AH alone OR ESP with combined transform inner IP/TCP, IP/UDP, TCP, UDP, etc. >Has anyone implemented this? My description above is implemented by the NRL source code if one configures a "secure IPv4 tunnel" for the outer path and also the user requests ESP tunnel-mode on the original packet. >Are we really really sure any existing implementations correctly allow ESP >inside ESP? Gee, I hope not. ESP directly inside ESP is bogus. Ran rja@inet.org
-- END included message