[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng 4316) Question on Extension Header Order

To: Charles Lynn <clynn@bbn.com>
Subject: Re: (IPng 4316) Question on Extension Header Order
From: Steve Deering <deering@cisco.com>
Date: Wed, 13 Aug 97 01:58:56 PDT
Cc: ipsec@tis.com, ipng@sunroof.eng.sun.com, deering@cisco.com
In-reply-to: clynn@bbn.com's message of Sun, 10 Aug 97 09:39:52 -0500. <199708101340.GAA18089@saturn.Sun.COM>
Sender: owner-ipsec@ex.tis.com

> From: Charles Lynn <clynn@BBN.COM>
> 
> I noticed that the recommended order of extension headers shown in section
> 4.1 has changed...  My question is why the order of the Authentication
> header and the Encapsulating Security Payload header were switched.

Because I got confused.  The new ESP draft (draft-ietf-ipsec-esp-v2-00.txt)
says on page 8, 2nd paragraph, that the ESP header should precede the AH
header, so I concluded that the ipsec wg had changed their recommended
order.  When I went looking for the ipsec architecture draft to find
out what the real story was, all I found was draft-ietf-ipsec-arch-sec-01.txt
which contains only the note saying that that draft has expired.

I now see that the new AH draft (draft-ietf-ipsec-auth-header-01.txt) says
on page 6, 3rd paragraph, that the AH header should precede the ESP header,
so the AH and ESP documents appear to be contradictory (looks like a simple
editing error, when moving text from one document to the other).

It is still the case that there is no ipsec-arch document in the internet-
drafts directory.  I guess the editors missed the pre-IETF drafts deadline.
I have been informed that a new arch draft was posted to the ipsec list,
but that doesn't help those of us ipngwg folks who are not on the ipsec
list.

Anyway, from reading the new ESP draft, it looks like the ipsec wg prefers
receivers to do authentication first, then decryption, in the case where
both functions are bundled into ESP.  So I would guess that, in the
unbundled case (i.e., separate AH and ESP headers), AH should normally
precede ESP, as you suggest.  So, unless I hear otherwise, I will undo the
change I made in the new IPv6 draft.  (Though it certainly seems counter-
intuitive to me: after all, it's the integrity of the plaintext that a
receiver cares about, not the integrity of the gibberish.)

> I suggest changing note 2 to:
> 
>            note 2: the order of the two security headers is based on
>                    security policy.  Additional recommendations
>                    regarding the relative order of the Authentication
>                    and Encapsulating Security Payload headers are given
>                    in [draft-ietf-ipsec-arch-sec-01.txt],

I'll consider this change once I have a chance to read the ipsec-arch
draft, to see what it actually says.  (Actually, a friendly ipsec-er
emailed me a copy of that document yesterday, but I've been too busy at
IETF to read it yet.)

Steve

Follow-Ups:

Re: (IPng 4316) Question on Extension Header Order

From: Stephen Kent <kent@bbn.com>

Prev by Date: DOI draft question/request
Next by Date: Re: DOI draft question/request
Prev by thread: Re: DOI draft question/request
Next by thread: Re: (IPng 4316) Question on Extension Header Order
Index(es):
- Main
- Thread