RE: ESP and AH used in tunnel mode by a Security Gateway

[Stephen Waters <Stephen.Waters@digital.com>]

	Yes, I suppose once I have applied ESP-Tunnel, using AH as well
become transport mode - unless
	I really want to incur the overhead of yet another IP header.
Thanks.

	Steve.
	
> ----------
> From: 	Ben Rogers[SMTP:ben@ascend.com]
> Sent: 	Thursday, July 23, 1998 6:58 PM
> To: 	Stephen Waters
> Cc: 	ipsec@tis.com
> Subject: 	Re: ESP and AH used in tunnel mode by a Security Gateway
> 
> Stephen Waters <Stephen.Waters@digital.com> writes:
> 
> > 	I seem to remember asking this question before, but....
> > 
> > 	Although not covered in the IPSEC architecture, is there any
> > restriction on a Security Gateway
> > 	applying both ESP and AH in tunnel mode?
> 
> You could do this.  However, you'll want to be a little more precise
> with your terminology.
> 
> ESP and AH in tunnel mode:
> 
> IP AH IP ESP IP DATA
> 
> You probably intended to apply ESP in tunnel mode and AH in transport
> mode on top of that:
> 
> IP AH ESP IP DATA
> 
> Note that in an ISAKMP negotiation, you would negotiate a single
> proposal containing an ESP transform with the tunnel mode attribute
> and an AH transform with the transport mode attribute.  (This is
> something we agreed to some time ago but which might not have made it
> into the docs yet.)
> 
> 
> ben
>

---

Follow-Ups:

• RE: ESP and AH used in tunnel mode by a Security Gateway
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: Re: Comments on "Hybrid Auth. mode for IKE"
• Next by Date: Re: ESP and AH used in tunnel mode by a Security Gateway
• Prev by thread: Re: ESP and AH used in tunnel mode by a Security Gateway
• Next by thread: RE: ESP and AH used in tunnel mode by a Security Gateway
• Index(es):
  • Main
  • Thread