[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ESP and AH used in tunnel mode by a Security Gateway

To: Stephen Waters <Stephen.Waters@digital.com>
Subject: Re: ESP and AH used in tunnel mode by a Security Gateway
From: Stephen Kent <kent@bbn.com>
Date: Thu, 23 Jul 1998 11:15:18 -0400
Cc: ipsec@tis.com
In-Reply-To: <250F9C8DEB9ED011A14D08002BE4F64C01B14301@wade.reo.dec.com>
Sender: owner-ipsec@ex.tis.com

Steve,

There is no requirement for an implementation to support application of
both an AH and an ESP tunnel between the same two endpoints.  However, an
SG might be the terminus of two tunnels, in the same or different modes,
with different endpoints.  For example, there might be a tunnel between SG1
and SG2 and H1, behind SG1, might open another tunnel to SG2.  So that
would cause traffic to flow over two tunnels that terminate at SG2.
However, an SG should not create two nested tunnels to the same endpoint.
We removed that requirement a while ago because implementors did not feel
that it was worth the added complexity.  So, if an SG created such nested
tunnels, there is no reason to believe that a compliant IPsec
implementation at the other end would support such nesting, as the spec
warns.

Steve

References:

ESP and AH used in tunnel mode by a Security Gateway

From: Stephen Waters <Stephen.Waters@digital.com>

Prev by Date: RE: Comments on "Hybrid Auth. mode for IKE"
Next by Date: Re: Comments on "Hybrid Auth. mode for IKE"
Prev by thread: ESP and AH used in tunnel mode by a Security Gateway
Next by thread: Re: ESP and AH used in tunnel mode by a Security Gateway
Index(es):
- Main
- Thread