[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification, etc.]

To: Steve Deering <deering@cisco.com>
Subject: Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification, etc.]
From: Stephen Kent <kent@bbn.com>
Date: Mon, 4 May 1998 09:27:05 -0400
Cc: "Theodore Y. Ts'o" <tytso@MIT.EDU>, Robert Elz <kre@munnari.oz.au>, Thomas Narten <narten@raleigh.ibm.com>, jis@MIT.EDU, ipsec@tis.com, ipng@sunroof.Eng.Sun.COM
In-Reply-To: <v0311070ab1702d8c9b1e@[171.69.199.124]>
References: <199805010154.VAA20482@dcl.MIT.EDU> Robert Elz's message ofFri, 01 May 1998 07:46:34 +1000, <17976.893972794@munnari.OZ.AU>
Sender: owner-ipsec@ex.tis.com

Steve

>Gateways that insert an AH header into a passing IPv6 packet (architecturally
>impure device that I hope no one is seriously advocating) will probably have
>to treat an unrecognized header as a potential end-to-end header (e.g.,
>an unrecognized transport protocol header), and therefore will insert the
>AH header before the unrecognized header and forward it onward, rather than
>rejecting it.

IPsec requires any security gateway to use tunnel mode for transit traffic,
avoiding the problem you cite.  Thus such an implementation would not only
be "architectually impure," it also would be non-compliant.

Steve

Follow-Ups:

Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification, etc.]

From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>

References:

Re: (IPng 5744) Re: [Karen Seo: Thomas Narten -- clarification, etc.]

From: Robert Elz <kre@munnari.oz.au>

Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification,etc.]

From: Steve Deering <deering@cisco.com>

Prev by Date: low-end IPSEC boxes?
Next by Date: Re: low-end IPSEC boxes?
Prev by thread: Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification,etc.]
Next by thread: Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification, etc.]
Index(es):
- Main
- Thread