[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SKIP and NAT

To: ipsec@tis.com
Subject: Re: SKIP and NAT
From: Ran Atkinson <rja@inet.org>
Date: Wed, 20 Aug 97 14:31:17 GMT Daylight Time
References: <3.0.32.19970820104510.009aade0@pop.rv.tis.com>
Sender: owner-ipsec@ex.tis.com

--- On Wed, 20 Aug 1997 10:45:11 -0400  Wei Xu <wei@tis.com> wrote:

> >I wonder if this is a "feature" of IPSEC, or a "bug" in Sun SKIP.  It
> >was suggested that the SKIP implementation may intentionally rewrite IP
> >headers with protocol 0 as a way to ensure that a "bad" packet gets
> >discarded.  I will have to research this further.
> 
> Looks to me. SKIP don't understand IP protocol 50 and 51 which is IPSec
> specific. During the translation SKIP puts protocol 0 to indicate
> un-recorganized IP packets.

Most versions of "SKIP the product" from Sun do not normally use
"SKIP the KM protocol proposal for ESP/AH" made by Sun to the IETF.  
In particular, older versions of "SKIP the product" do not use or understand 
IPsec ESP/AH at all.  

Given the availability of real IPsec from multiple vendors (as was obvious
at Interop last May in LV), it isn't clear to me why anyone in the real world
would want to purchase/deploy any proprietary encryption scheme.  Certainly
I won't be doing so (We have IPsec in limited deployment now in a commercial
environment).

Since SKIP isn't IPsec, I suppose this note is off-topic so I'll probably
not comment further.

Ran
rja@inet.org

References:

Re: SKIP and NAT

From: Wei Xu <wei@tis.com>

Prev by Date: Re[2]: IPSEC and NAT
Next by Date: Re: IPSEC and NAT
Prev by thread: Re: SKIP and NAT
Next by thread: comments on replay processing
Index(es):
- Main
- Thread