Re: ESP and AH used in tunnel mode by a Security Gateway

["Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>]

>>>>> "Stephen" == Stephen Waters <Stephen.Waters@digital.com> writes:
    Stephen> 	I seem to remember asking this question before, but....

    Stephen> 	Although not covered in the IPSEC architecture, is there any
    Stephen> restriction on a Security Gateway
    Stephen> 	applying both ESP and AH in tunnel mode?

    Stephen> 	Thanks, Steve.

  No, you may do so.
  The combined transform was designed to reduce the overhead of doing this,
but you can explicitely do this. 
  A likely case where this happens is something like:

	H--------SG1===========SG2-----G
	          <----- AH ---->
        <-----------ESP--------->


  SG2 has negotiated an AH tunnel with SG1, and an ESP tunnel with H.

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |         Firewalls, TCP/IP and Unix administration
 Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
 Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>. 
	ON HUMILITY: To err is human, to moo bovine.

---

References:

• ESP and AH used in tunnel mode by a Security Gateway
• From: Stephen Waters <Stephen.Waters@digital.com>

---

• Prev by Date: Re: ESP and AH used in tunnel mode by a Security Gateway
• Next by Date: RE: ESP and AH used in tunnel mode by a Security Gateway
• Prev by thread: Re: ESP and AH used in tunnel mode by a Security Gateway
• Next by thread: RE: ESP and AH used in tunnel mode by a Security Gateway
• Index(es):
  • Main
  • Thread