[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: AH (without ESP) on a secure gateway

To: "Whelan, Bill" <bwhelan@nei.com>
Subject: Re: Re[2]: AH (without ESP) on a secure gateway
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Mon, 02 Dec 1996 16:23:37 -0500
Cc: kent@bbn.com, ho@earth.hpc.org (Hilarie Orman), ipsec@tis.com
In-Reply-To: bwhelan's message of Mon, 02 Dec 1996 12:43:17 -0500. <9611028495.AA849563882@netx.nei.com>
Sender: owner-ipsec@ex.tis.com

> >But this potential conflict is not necessarily fatal, is it?  Assuming 
> >cooperating firewalls, the conflict can exist and be irrelevant.  The 
> >firewalls unwrap outer headers according to their notions of the SA 
> >mappings, and the end hosts unwrap inner headers according to their 
> >notions.  Conflicts are invisible as long as the firewalls are in 
> >place.
> 
> Outer headers and inner headers?  Per RFC1826, the Authentication Header 
> sits between the IP header and the upper layer protocol.  It appears the 
> same whether it's inserted by the host system or the gateway.

Hmm.  Which "protocol tower" are we talking about, anyhow?

	IP[H1->H2],AH[R1->R2],...

or

	IP[R1->R2],AH[R1->R2],IP[H1->H2],...

(R1,R2 are routers, H1,H2 are hosts; the problem is only interesting
if we assume H2 != R2).

The latter case has "outer headers" and "inner headers".

I can see ways of making the former case "work" when H2 doesn't do AH,
but if H2 does, you have to worry about SPI collisions between the
ones assigned by H2 and the ones assigned by R2..

					- Bill

References:

Re[2]: AH (without ESP) on a secure gateway

From: "Whelan, Bill" <bwhelan@nei.com>

Prev by Date: IPSEC Agenda
Next by Date: Re: AH (without ESP) on a secure gateway
Prev by thread: Re[2]: AH (without ESP) on a secure gateway
Next by thread: Re: Re[2]: AH (without ESP) on a secure gateway
Index(es):
- Main
- Thread