[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH in tunnel mode

To: Naganand Doraswamy <naganand@ftp.com>
Subject: Re: AH in tunnel mode
From: Dan Frommer <dan@radguard.com>
Date: Wed, 21 Aug 1996 09:56:54 +0300 (IDT)
Cc: ipsec@TIS.COM
In-Reply-To: <2.2.32.19960820184342.00ab80cc@mailserv-H.ftp.com>
Sender: ipsec-approval@neptune.tis.com

On Tue, 20 Aug 1996, Naganand Doraswamy wrote:

> I would like to know what people think about AH in tunnel mode. Ran
> suggested that I post this to the list to evoke some discussion and then add
> the following text either in the AH spec or write an informational document
> on using IPSec to build VPN's.
> 

I believe tunnel mode in AH should be supported for the same reasons it is 
supported in ESP. However, the existing drafts/RFCs should be made clear in 
this area. Specifically, the following should be removed from 
the architecture draft:

        "While the Authentication Header might be implemented by a 
         security  gateway on behalf of hosts on a trusted network behind 
         that security gateway, this mode of operation is not encouraged."

Tunnel mode in ESP is explicitly discussed in the drafts while the
AH documents seem to focus on "upper protocols". I vote for changing this.

Dan

Dan Frommer     |  Voice: +972-3-645-5396  |  Email: dan@radguard.com
RADGUARD, Ltd.  |    Fax: +972-3-648-0859  |

References:

AH in tunnel mode

From: Naganand Doraswamy <naganand@ftp.com>

Prev by Date: Re: AH in tunnel mode
Next by Date: Re: AH in tunnel mode
Prev by thread: Re: AH in tunnel mode
Next by thread: Re: AH in tunnel mode
Index(es):
- Main
- Thread