[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH (without ESP) on a secure gateway

To: mckenney@mitre.org (Brian McKenney)
Subject: Re: AH (without ESP) on a secure gateway
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Wed, 04 Dec 1996 14:04:35 -0500
Cc: Steven Bellovin <smb@research.att.com>, ipsec@tis.com
In-Reply-To: mckenney's message of Wed, 04 Dec 1996 09:02:40 -0500. <v01510101aecae55b0c59@[128.29.140.130]>
Sender: owner-ipsec@ex.tis.com

> This is more an implementation issue rather than a standards issue.  If you
> have an IPSEC-compliant firewall, then ESP Transport Mode could be used for
> firewall-to-firewall encryption.  Vendors should note in their
> documentation about possible problems and issues with this mode for
> firewall-to-firewall communications.  

There may be a terminology clash here.  By "firewall", do you mean
"filtering border router" or "application-layer gateway" or what?

I know I'm repeating myself (and others), but I think we've
(re)established over the past few days that performing transport-mode
ESP or AH encapsulation/decapsulation in a router is problematic.

If the end systems are also using ESP and AH, both the receiving end
system and the receiving router could allocate the same numeric SPI
and there wouldn't be an unambiguous interpretation of each packet.

This would impede deployment of end-to-end ESP/AH, and I think that's
reason enough to specify that configuration as a "SHOULD NOT" or "MUST
NOT"..'

					- Bill

References:

Re: AH (without ESP) on a secure gateway

From: mckenney@mitre.org (Brian McKenney)

Prev by Date: Re: Re[5]: AH (without ESP) on a secure gateway
Next by Date: Re: Re[2]: AH (without ESP) on a secure gateway
Prev by thread: Re: AH (without ESP) on a secure gateway
Next by thread: Re[2]: AH (without ESP) on a secure gateway
Index(es):
- Main
- Thread