[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: AH (without ESP) on a secure gateway

To: kent@bbn.com
Subject: Re: Re[2]: AH (without ESP) on a secure gateway
From: ho@earth.hpc.org (Hilarie Orman)
Date: Fri, 6 Dec 1996 11:54:42 -0500
Cc: ipsec@tis.com
In-reply-to: Yourmessage <199612050439.VAA19643@baskerville.CS.Arizona.EDU>
Sender: owner-ipsec@ex.tis.com

I think that authentication only is a valid use of ESP.  I had always
felt that the scope of the protection was more of a distinguishing factor
than the type of protection, when discussing AH vs. ESP.  This isn't a new
idea, it came up a couple of years ago.

I'm not sure why tunneling is an issue that requires special discussion.
If IPinIP is required, then tunneling follows naturally,

   IP[AH]*[ESP]*(IP[AH]*[ESP]*)*

is a direct corollary, and it is easy to implement.  As far as I know,
all IPSEC implementations can handle this on input (if all the SA's
are relevant to the current host), though generating complex
structures on output is a separate question (except for the hop-by-hop
enhancement schemes, such as firewalls).

If a packet has the form, 

   IP(s,d)AH(spi)...

then the header is validated iff

	1. (d, spi) maps to a security association known at the current host
	and
	2. The security policy of the current host requires validation of
	this header (e.g., the first header of the packet).

and the AH header is removed after validation iff

	1. The current host is the destination
	or
	2. The security policy of the current host requires removal

These rules are applied as often as necessary to process a packet.  The
same rules apply when ESP is the current "next protocol".

Hilarie

Prev by Date: Replay counter sizes: AH vs ESP -Reply
Next by Date: Re: ANNOUNCEMENT: 1997 RSA Data Security Conference
Prev by thread: Re: Re[2]: AH (without ESP) on a secure gateway
Next by thread: Re: AH (without ESP) on a secure gateway
Index(es):
- Main
- Thread