[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH (without ESP) on a secure gateway

To: ho@earth.hpc.org (Hilarie Orman)
Subject: Re: AH (without ESP) on a secure gateway
From: Stephen Kent <kent@bbn.com>
Date: Mon, 2 Dec 1996 21:25:04 -0500
Cc: ipsec@tis.com
In-Reply-To: <199612021501.KAA18888@earth.hpc.org>
References: Yourmessage <199612021214.FAA13018@baskerville.CS.Arizona.EDU>
Sender: owner-ipsec@ex.tis.com

Hilarie,

	Another thought on multiple instances of AH in a single packet.  In
the current spec, the inclusion of another header would violate the
positioning requirement, which calls for AH (as an option in IPv4) to come
directly after the IP header.  The "second" AH option would not be directly
after the header; it would be after the first AH option. Hence I had never
envision multiple AH options/payloads as being compliant.   Also, note that
the computation of the AH integrity check value is complicated by the need
to consider some header fields as zero during the computation.  The ESP
computation, in a tunnel mode context, would be simplier and faster, making
it more attractive for a firewall.

Steve

References:

Re: AH (without ESP) on a secure gateway

From: ho@earth.hpc.org (Hilarie Orman)

Prev by Date: Re[2]: AH (without ESP) on a secure gateway
Next by Date: Re[5]: AH (without ESP) on a secure gateway
Prev by thread: Re: AH (without ESP) on a secure gateway
Next by thread: Re[2]: AH (without ESP) on a secure gateway
Index(es):
- Main
- Thread