[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thomas Narten's DISCUSS vote

To: ipsec@tis.com
Subject: Re: Thomas Narten's DISCUSS vote
From: Gabriel.Montenegro@Eng.Sun.Com
Date: Sun, 24 May 1998 03:26:50 -0700
Reply-To: gab@Eng.Sun.Com
Sender: owner-ipsec@ex.tis.com


"Vipul Gupta" <vgupta@nobel.eng.sun.com> wrote:

>Date: Fri, 22 May 1998 14:42:38 -0700 (PDT)
>
>  I think Tom's comment is valid. Even when used with NULL encryption, 
>  ESP's integrity check will include the TCP/UDP header and,

Only assuming transport mode ESP. Tunnel mode ESP should work
fine.
 
Perhaps this should be mentioned explicitly in the ESP_NULL draft:


>> >>    The IPsec Authentication Header [AH] specification provides a similar
>> >>    service, by computing authentication data which covers the data
>> >>    portion of a packet as well as the immutable in transit portions of
>> >>    the IP header.  ESP_NULL does not include the IP header in
>> >>    calculating the authentication data.  This can be useful in providing
>> >>    IPsec services through Network Address Translation (NAT) devices and
>> >>    non-IP network devices.  
         ^^^^^^^^^^^^^^^^^^^^^^^, particularly if using tunnel mode.

>> >>   The discussion on how ESP_NULL might be
>> >>    used with NAT and non-IP network devices is outside the scope of this
>> >>    document.
>> >


-gabriel

Prev by Date: Re: Thomas Narten's DISCUSS vote
Next by Date: Re: Thomas Narten's DISCUSS vote
Prev by thread: Re: Thomas Narten's DISCUSS vote
Next by thread: Re: Thomas Narten's DISCUSS vote
Index(es):
- Main
- Thread