[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: doi-07/interoperability questions



Eric L. Wong writes:
> Sounds to me you are suggesting the following changes to the arch spec
> in section 4.5 Case 1. 
> ] 
> ]                   Transport                  Tunnel
> ]              -----------------          ---------------------
> ]              1. [IP1][AH][upper]        4. [IP2][AH][IP1][upper]
> ]              2. [IP1][ESP][upper]       5. [IP2][ESP][IP1][upper]
> ]              3. [IP1][AH][ESP][upper]
> ] 
> 
>                   Transport                     Tunnel
>              -----------------             ---------------------
>              1. [IP1][AH][upper]   (remove)4. [IP2][AH][IP1][upper]
>      (remove)2. [IP1][ESP][upper]          5. [IP2][ESP][IP1][upper]
>              3. [IP1][AH][ESP][upper] (add)6. [IP2][AH][ESP][IP1][upper]
> 
> Is this correct?

Nope.  All I'm suggesting is that we have a way to negotiate 5 followed
by 1 in ISAKMP.  The net result being:

[IP1][upper]
[IP2][ESP][IP1][upper]
[IP2][AH][ESP][IP1][upper]

I used to think that 6 was necessary, but was convinced this was not a
valid combination by Stephen Kent at the December IETF (AH is no longer
in tunnel mode).  You can, however, emulate it using the 5+1
combination.  This was what I was suggesting in the AH (transport) + ESP
(tunnel) proposal.


ben



References: