Re: AH in tunnel mode

["C. Harald Koch" <chk@border.com>]

> I would like to know what people think about AH in tunnel mode. Ran
> suggested that I post this to the list to evoke some discussion and then add
> the following text either in the AH spec or write an informational document
> on using IPSec to build VPN's.

Is tunnelled AH prohibited anywhere? i.e.:

	IP[fw1,fw2] | AH | IP[src,dst] | ULP

Since AH has a "next hop protocol" field, and a valid protocol is IP
(protocol #4), this should work fine (It does in my code :-).

Personally, I've *never* understood the emphasis placed on "Transport mode"
v.s. "Tunnel mode". There already exists a separate IP in IP document;
adding AH and/or ESP between the two IP headers was obvious to me.

I understand that specific security issues arise with this configuration,
but those should be listed, IMHO, as an implementation note, instead of
separating out IP from every other possible "next hop" protocol in the
standards.

Maybe I'm just missing something obvious. If so, I beg enlightenment...

-- 
C. Harald Koch          | Border Network Technologies Inc.
chk@border.com          | Senior System Developer
+1 416 368 7157 (voice) | 20 Toronto Street, Suite 400, Toronto ON M5C 2B8
+1 416 368 7789 (fax)   | Madness takes its toll. Please have exact change.

---

References:

• AH in tunnel mode
• From: Naganand Doraswamy <naganand@ftp.com>

---

• Prev by Date: Re: "user" and "network layer" security mechanisms.
• Next by Date: Re: "user" and "network layer" security mechanisms.
• Prev by thread: AH in tunnel mode
• Next by thread: Re: AH in tunnel mode
• Index(es):
  • Main
  • Thread