Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification, etc.]

[Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>]

> >Gateways that insert an AH header into a passing IPv6 packet (architecturally
> >impure device that I hope no one is seriously advocating) will probably have
> >to treat an unrecognized header as a potential end-to-end header (e.g.,
> >an unrecognized transport protocol header), and therefore will insert the
> >AH header before the unrecognized header and forward it onward, rather than
> >rejecting it.
> 
> IPsec requires any security gateway to use tunnel mode for transit traffic,
> avoiding the problem you cite.  Thus such an implementation would not only
> be "architectually impure," it also would be non-compliant.

What about "bump in the cord" security devices which sit between a
single host and the rest of the network, and do the AH/ESP protocol
processing for them?  They are, I believe, allowed for by the ipsec
architecture spec, and, depending on how you look at them, they have
aspects of both host and security-gateway implementations of AH/ESP..

					- Bill

---

Follow-Ups:

• Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification,etc.]
• From: Stephen Kent <kent@bbn.com>

References:

• Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification, etc.]
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: Re: low-end IPSEC boxes?
• Next by Date: Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification,etc.]
• Prev by thread: Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification, etc.]
• Next by thread: Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification,etc.]
• Index(es):
  • Main
  • Thread