[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

order/nesting of IPsec headers (transport mode)



Folks,

Recent email has raised the question of what order/nesting of IPsec
headers should be supported in transport mode.  In general, we've been
assuming that ONLY the combinations of IPsec headers listed as 1-3 below
should occur in transport mode.  ("above" = higher in the protocol
stack, "below" = lower in the protocol stack.  So, for example, TCP is
"above" IP):

	1. AH only
	2. ESP only
	3. ESP above AH (i.e., in the outbound direction, do ESP processing,
                         then do AH processing)

What is the sense of this community with regard to other combinations,
e.g.,:

	4. AH above ESP (i.e., authenticate first, then encrypt)
	5. AH above AH 
	6. ESP above ESP
	7. AH above AH above ESP
	8. AH above ESP above AH
	9. etc.

Should support for any of these be mandated? allowed? forbidden?

Thank you,
Karen




Follow-Ups: