[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authentication using ESP in Transport Mode

To: ipsec@TIS.COM
Subject: Re: Authentication using ESP in Transport Mode
From: Ran Atkinson <rja@cisco.com>
Date: Wed, 17 Jul 1996 08:47:55 -0700
In-Reply-To: <9607170514.AA07071@maildig1.us.oracle.com>
Organization: cisco Systems, Inc., Menlo Park, Ca.
Sender: ipsec-approval@neptune.tis.com

Earlier, Ran wrote:
>>Gee, I hope not.  ESP directly inside ESP is bogus.   
>> 
>>Ran 

In article <9607170514.AA07071@maildig1.us.oracle.com> Paul wrote:
> 
>Hummm ... no, ESP inside ESP should be a fairly common case when two 
>workstations with ESP communicate through two encrypting firewalls using ESP.
> 
>I assume that you were thinking of ESP inside ESP with no intermedate 
>encrypting systems as a bogus example... 
> 
> 
>Paul 

Paul,

  I believe there was a communication gap, rather than a substantive technical
difference between what you mention and what I said.  Referring back to the
original set of notes below, please examine the area I've marked at the left
margin with "*" first to make clear what my comment quoted above was
referring to.

  It is bogus for a packet to be of the form: 
	[IP, s->d][ESP][ESP][ULP or IP]

  The case you mention (End-to-End encryption while traversing an encrypted
tunnel between two intermediate systems (e.g. routers or firewalls))
will have tunnel-mode ESP packets of the form:
	[IP, fw1->fw2][ESP][IP, s->d][ESP][ULP or IP]

where: 
  fw1,fw2 are addresses of the intermediate encryptors and the arrow separates
the source from the destination.
  s,d are the ultimate source and destination workstations that are also
ESP-capable.
  ULP == upper-layer protocol (e.g. TCP, UDP, ICMP)

Regards,

Ran
rja@cisco.com  

>--Boundary-22345810-0-0
>Content-Type: message/rfc822
>
>Date: 10 Jul 96 13:07:31
>From:"Ran Atkinson " <ipsec-approval@neptune.tis.com>
>To: ipsec@tis.com
>Subject: Re: Authentication using ESP in Transport Mode
>X-Orcl-Application: Newsgroups: cisco.external.ietf.ipsec
>X-Orcl-Application: In-Reply-To: <9607101438.AA00827@wellspring.us.dg.com>
>X-Orcl-Application: Organization: cisco Systems, Inc., Menlo Park, Ca.
>X-Orcl-Application: Sender: ipsec-approval@neptune.tis.com
>X-Orcl-Application: Precedence: bulk
>
>
>Someone wrote:
>>The packets would be:
>>
*   IPv4                           ...outer header as it travels the net
*     AH                           ...is this needed?
*       ESP                        ...for firewall/tunnel
*         ESP                      ...for remote to internal node
*           original TCP/UDP/etc.  ...real data.
>
>I don't think so.  I was thinking more like:
>
>	IP (source=outside firewall, dest=firewall)
>	ESP with combined transform
>	IP (source=outside firewall, dest=inner destination) 
>	AH alone OR ESP with combined transform
>	inner IP/TCP, IP/UDP, TCP, UDP, etc.
>	
>>Has anyone implemented this?
>
>My description above is implemented by the NRL source code if one configures a
>"secure IPv4 tunnel" for the outer path and also the user requests ESP
>tunnel-mode on the original packet.
>
>>Are we really really sure any existing implementations correctly allow ESP
>>inside ESP?
>
>Gee, I hope not.  ESP directly inside ESP is bogus.  
>
>Ran
>rja@inet.org
>
>
>
>--Boundary-22345810-0-0--

References:

Re: Authentication using ESP in Transport Mode

From: "PALAMBER.US.ORACLE.COM" <PALAMBER@us.oracle.com>

Prev by Date: Re: Authentication using ESP in Transport Mode
Next by Date: No Subject
Prev by thread: Re: Authentication using ESP in Transport Mode
Next by thread: Re: Authentication using ESP in Transport Mode
Index(es):
- Main
- Thread