[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification, etc.]



Lets say that there is a large server 
on which it does not make sense to implement
IPSEC. In that case, one would put a small
dedicated device to do IPSEC transport
mode for all the intranet use.

It is not a gateway. The dedicated box
is implementing IPSEC function on
behalf of a single server (could be a 
coprocessor for a mainframe system for
all I know).

This I hope is legal and will suffer from the
problems being discussed.

Baiju

-----Original Message-----
From: owner-ipsec@ex.tis.com [mailto:owner-ipsec@ex.tis.com]On Behalf Of
Stephen Kent
Sent: Monday, May 04, 1998 6:27 AM
To: Steve Deering
Cc: Theodore Y. Ts'o; Robert Elz; Thomas Narten; jis@MIT.EDU;
ipsec@tis.com; ipng@sunroof.Eng.Sun.COM
Subject: Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification,
etc.]


Steve

>Gateways that insert an AH header into a passing IPv6 packet
(architecturally
>impure device that I hope no one is seriously advocating) will probably
have
>to treat an unrecognized header as a potential end-to-end header (e.g.,
>an unrecognized transport protocol header), and therefore will insert
the
>AH header before the unrecognized header and forward it onward, rather
than
>rejecting it.

IPsec requires any security gateway to use tunnel mode for transit
traffic,
avoiding the problem you cite.  Thus such an implementation would not
only
be "architectually impure," it also would be non-compliant.

Steve





Follow-Ups: