[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: order/nesting of IPsec headers (transport mode)

To: ipsec@tis.com
Subject: Re: order/nesting of IPsec headers (transport mode)
From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Date: Sat, 23 Aug 1997 12:00:58 -0400
In-reply-to: Your message of "Fri, 22 Aug 1997 23:45:39 EDT." <199708230352.XAA16321@relay.hq.tis.com>
Sender: owner-ipsec@ex.tis.com

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "Karen" == Karen Seo <kseo@bbn.com> writes:

Karen> Folks,

Karen> Recent email has raised the question of what order/nesting
Karen> of IPsec headers should be supported in transport mode. In
Karen> general, we've been assuming that ONLY the combinations of

I think this has been covered ad nauseum on the list already, but
not recently. I grep'ed for "ip-ah-ip" and found this:
http://www.sandelman.ottawa.on.ca/ipsec/1996/12/msg00075.html

I looked in my archives again, and didn't the original discussion
that I remember. I did find a message from saying that I had
previously looked through the archives for such a reference...

I'd still like to have the archives of the list from prior to
February 1996.... I think it might make a nice book. Does someone have
the archives? Bill? Ran?

Karen> 4. AH above ESP (i.e., authenticate first, then
Karen> encrypt) 5. AH above AH 6. ESP above ESP 7. AH above AH
Karen> above ESP 8. AH above ESP above AH 9. etc.

An AH must always be preceeded by an IP, so #4, #5, #7 and #8 are
not quite correct, but one understands the intention.

ESP above ESP (with no invening IP) is allowed, and may be a way to
get stronger encryption with only DES. Or it may just mean that people
that can export DES but not more get in trouble.

Otherwise, these are just layers of tunnel mode. This is most likely
to happen when the layers are added by different gateways. My
impression is that we've had lots of discussion about this in the VPN
drafts.

:!mcr!: | Network security programming, currently
Michael Richardson | on contract with DataFellows F-Secure IPSec
WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBM/8JM6ZpLyXYhL+BAQElvwL+PaoNHgYtAKUc46nwCqoA+6g9k6kL0Hj6
cj8ZgyjezwpCW3ehOgPlhZxeBJhwQvJteBMYlBPO1RV8SfODNLzv0XSFnebgLtxe
3FDFk1cdOfe3vIEJrvI33NM1I5VFq0Pc
=5vJS
-----END PGP SIGNATURE-----

Follow-Ups:

Re: order/nesting of IPsec headers (transport mode)

From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

Re: order/nesting of IPsec headers (transport mode)

From: Stephen Kent <kent@bbn.com>

References:

order/nesting of IPsec headers (transport mode)

From: Karen Seo <kseo@bbn.com>

Prev by Date: Re: order/nesting of IPsec headers (transport mode)
Next by Date: Re: order/nesting of IPsec headers (transport mode)
Prev by thread: Re: order/nesting of IPsec headers (transport mode)
Next by thread: Re: order/nesting of IPsec headers (transport mode)
Index(es):
- Main
- Thread