[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ESP and AH used in tunnel mode by a Security Gateway

To: Daniel Harkins <dharkins@cisco.com>
Subject: Re: ESP and AH used in tunnel mode by a Security Gateway
From: Ben Rogers <ben@ascend.com>
Date: 23 Jul 1998 16:37:53 -0400
Cc: Stephen Waters <Stephen.Waters@digital.com>, ipsec@tis.com
In-Reply-To: Daniel Harkins's message of Thu, 23 Jul 1998 13:15:46 -0700
References: <199807232015.NAA09697@dharkins-ss20.cisco.com>
Sender: owner-ipsec@ex.tis.com

Daniel Harkins <dharkins@cisco.com> writes:

>   I don't remember agreeing to that. In fact, the only mention of this
> I remember came up during the IPCOMP and IPSEC thread. On May 28, in 
> <199805282040.NAA01397@orna.mentat.com> Marc Hasson wrote:
> 
>      > 
>      > I guess you could say that ESP is in transport mode, but what about the
>      > case where both AH and ESP are applied to the same packet:
>      > 
>      >      [IP2][AH][ESP][IP1][data]
>      > 
>      > Is AH in transport mode? 
>      
>      Good point.  I can hear people arguing it both ways and am sorry I
>      raised that side tidbit.  Whats more important is that we all understand
>      how to process the above, which I think is pretty clear in the specs.
>  
> Yes, I feel we can all process this but it's now apparent that we can't all
> negotiate it. 

>   I think it's better to treat AH as being in tunnel mode in this case.
> It precludes lots of ugly, hard-to-maintain code, it makes UI much simpler,
> and it allows for a wider array of rules to be applied to various sorts of 
> traffic.

I agree wholeheartedly, and was aparently mistaken as to the extent
the agreement.  I think that it came out of a semi-private
conversation between Steve Kent and myself (probably during the
document reading party at the DC IETF).

Steve -- are you okay with the rationale that Dan presents?  If so,
I'd like to make sure that arch-sec and ipsec-doi are updated
appropriately once we get to play with them again.

If I understand correctly, the suggestion is to treat:

	IP AH ESP IP data
	IP AH ESP IPPCP IP data
	IP ESP IPPCP IP data

as

	AH(tunnel) + ESP(tunnel)
	AH(tunnel) + ESP(tunnel) + IPPCP(tunnel)
	ESP(tunnel) + IPPCP(tunnel)

respectively, at least so far as ISAKMP negotiations are concerned.
I've run into similar configuration issues to those Dan describes
while trying to represent these with both tunnel and transport mode
transforms (which is, in theory, the correct representation), and
would be happy to see the change.

ben

References:

Re: ESP and AH used in tunnel mode by a Security Gateway

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Re: ESP and AH used in tunnel mode by a Security Gateway
Next by Date: RE: Comments on "Hybrid Auth. mode for IKE"
Prev by thread: Re: ESP and AH used in tunnel mode by a Security Gateway
Next by thread: Re: ESP and AH used in tunnel mode by a Security Gateway
Index(es):
- Main
- Thread