[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on Extension Header Order

To: ipng@sunroof.eng.sun.com, ipsec@tis.com
Subject: Re: Question on Extension Header Order
From: Ran Atkinson <rja@inet.org>
Date: Sun, 10 Aug 97 16:20:42 GMT Daylight Time
References: <199708101343.JAA29980@relay.hq.tis.com>
Sender: owner-ipsec@ex.tis.com


Charles Lynn made an important observation.  To followup...

In IPv6-land, I believe that IPsec AH should appear before (outside)
ESP.  If one desires both integrity/authentication and confidentiality
on data contained by IPsec ESP, then one should use an ESP transform that
incorporates those features. [1]  IPsec AH inside ESP is incapable of
providing the intended protections (namely: to protect the invariant
fields of the IPv6 header in addition to the upper-protocol data).

To the extent that the current IPsec drafts do not say this, I believe
those drafts would be technically flawed.  I would be interested in hearing
what other IPv6 IPsec implementers believe, if there are any other
IPv6 IPsec implementers.

Ran
rja@inet.org


[1] Because of the published attack in [Bellovin96], I personally am of
    the opinion that ESP should _always_ require an integrated strong
    integrity/authentication mechanism.

References:

Question on Extension Header Order

From: Charles Lynn <clynn@bbn.com>

Prev by Date: Re: new/pending/delayed work items
Next by Date: Re: Internet Governance
Prev by thread: Question on Extension Header Order
Next by thread: Re: Internet Governance
Index(es):
- Main
- Thread