[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Thomas Narten's DISCUSS vote
"Vipul Gupta" <vgupta@nobel.eng.sun.com> wrote:
>Date: Fri, 22 May 1998 14:42:38 -0700 (PDT)
>
> I think Tom's comment is valid. Even when used with NULL encryption,
> ESP's integrity check will include the TCP/UDP header and,
Only assuming transport mode ESP. Tunnel mode ESP should work
fine.
Perhaps this should be mentioned explicitly in the ESP_NULL draft:
>> >> The IPsec Authentication Header [AH] specification provides a similar
>> >> service, by computing authentication data which covers the data
>> >> portion of a packet as well as the immutable in transit portions of
>> >> the IP header. ESP_NULL does not include the IP header in
>> >> calculating the authentication data. This can be useful in providing
>> >> IPsec services through Network Address Translation (NAT) devices and
>> >> non-IP network devices.
^^^^^^^^^^^^^^^^^^^^^^^, particularly if using tunnel mode.
>> >> The discussion on how ESP_NULL might be
>> >> used with NAT and non-IP network devices is outside the scope of this
>> >> document.
>> >
-gabriel