[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question on Extension Header Order
Charles Lynn made an important observation. To followup...
In IPv6-land, I believe that IPsec AH should appear before (outside)
ESP. If one desires both integrity/authentication and confidentiality
on data contained by IPsec ESP, then one should use an ESP transform that
incorporates those features. [1] IPsec AH inside ESP is incapable of
providing the intended protections (namely: to protect the invariant
fields of the IPv6 header in addition to the upper-protocol data).
To the extent that the current IPsec drafts do not say this, I believe
those drafts would be technically flawed. I would be interested in hearing
what other IPv6 IPsec implementers believe, if there are any other
IPv6 IPsec implementers.
Ran
rja@inet.org
[1] Because of the published attack in [Bellovin96], I personally am of
the opinion that ESP should _always_ require an integrated strong
integrity/authentication mechanism.
References: