Re: order/nesting of IPsec headers (transport mode)

[Karen Seo <kseo@bbn.com>]

Hello,

>>...When we apply the IPSEC to the following packet,
>>
>>  [IP1][upper]
>>
>>There are all pattern of SA in following, which are indicated by
>>the draft-ietf-ipsec-arch-sec-01.txt e-mailed on 30 July,
>>
>>  Only transport mode
>>  [IP1][AH][upper]
>>  [IP1][ESP][upper]
>>
>>  Only tunnel mode
>>  [IP2][AH][IP1][upper]
>>  [IP2][ESP][IP1][upper]
>>
>>  Combined transport mode of AH and ESP, "Transport adjacency"
>>  [IP1][AH][ESP][upper]
>>
>>  Combined tunnel mode of ESP and AH, "Iterated tunneling"
>>  [IPn][AH or ESP][IPn-1][AH or ESP][...][IP2][AH or ESP][IP1][upper]
>>
>>  Combined transport mode of AH or ESP, and "Iterated tunneling"
>>  [IPn][AH or ESP][IPn-1][AH or ESP][...][IP2][AH or ESP][IP1][AH or ESP][upper]
>>
>>  Combined "Transport adjacency" and "Iterated tunneling"
>>  [IPn][AH or ESP][IPn-1][AH or ESP][...][IP2][AH or ESP][IP1][AH][ESP][XPORT]
>>
>>Is that all ?

	Yes.  You have listed those combinations of SAs that we believed
	the community had agreed were needed as a minimum set.  However,
	as indicated in other email and your question below, there are
	other combinations that are possible and we have raised the
	question as to whether support for them should be allowed and/or
	mandated.

>>The next, Is there a pattern of bundle SA as following, ?
>>
>>  [IP2][AH][ESP][IP1][upper]
>>
>>    * [upper] is the upper layer protocol
>>
>>If certainly, is that constructed two tunnel mode of both AH and ESP
>>that are terminated at same destination ?

	Yes. This is an example of 2 tunnel headers applied by the same
	box (host or security gateway).  

	NOTE: In theory, it's also possible for a single host to apply
	more than the 2 tunnel headers:

	[IP2][AH or ESP][AH or ESP][...][AH or ESP][IP1][upper] 

	or to apply more than the 2 transport headers:

	[IP1][AH or ESP][AH or ESP][...][AH or ESP][upper].

>>P.S. Thank you for your help and sorry for my bad english

	I only wish my original email had been as clear :-).


Thank you,
Karen

---

Follow-Ups:

• Re: order/nesting of IPsec headers (transport mode)
• From: Ne <sakane@crd.yokogawa.co.jp>

---

• Prev by Date: Re: Is tunnel IP address included in SA?
• Next by Date: Re: order/nesting of IPsec headers (transport mode)
• Prev by thread: Re: order/nesting of IPsec headers (transport mode)
• Next by thread: Re: order/nesting of IPsec headers (transport mode)
• Index(es):
  • Main
  • Thread