[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ESP and AH used in tunnel mode by a Security Gateway

To: Stephen Kent <kent@bbn.com>
Subject: Re: ESP and AH used in tunnel mode by a Security Gateway
From: Ben Rogers <ben@ascend.com>
Date: 23 Jul 1998 22:20:00 -0400
Cc: Stephen Waters <Stephen.Waters@digital.com>, ipsec@tis.com
In-Reply-To: Stephen Kent's message of Thu, 23 Jul 1998 16:17:15 -0400
References: Stephen Waters's message of Thu, 23 Jul 1998 14:45:29 +0100 <250F9C8DEB9ED011A14D08002BE4F64C01B14301@wade.reo.dec.com> <v03110718b1dd4a50c868@[128.33.238.94]>
Sender: owner-ipsec@ex.tis.com


Steve,

> >IP AH IP ESP IP DATA
> >
> >You probably intended to apply ESP in tunnel mode and AH in transport
> >mode on top of that:
> 
> Steve cited an SG as the IPsec site in question, so transport mode is not
> applicable, since ALL transit traffic SAs at an SG are tunnel mode.

Even if it is on top of a tunnel mode header?  Given the network:

		      H1-----SG1------SG2-----H2

If we first do tunnel mode ESP:

IP(SG1->SG2) ESP IP(H1->H2) DATA

we are now sending a packet to the other end of the "tunnel" and can
legally encapasulate it with AH in transport mode by absorbing a
little bit of extra functionality.

> >IP AH ESP IP DATA
> >
> >Note that in an ISAKMP negotiation, you would negotiate a single
> >proposal containing an ESP transform with the tunnel mode attribute
> >and an AH transform with the transport mode attribute.  (This is
> >something we agreed to some time ago but which might not have made it
> >into the docs yet.)
> 
> The arch doc does call for tunnel+transport mode support at hosts, not SGs.

And that's not a problem.  The issue is that if two Security Gateways
want to speak both AH and ESP simultaneously (even though this isn't a
requirement), they ought to be able to negotiate it with ISAKMP.

Clearly, this is most accurately described by ESP in tunnel mode
followed by AH in transport mode.  However, as Dan points out, there
are some serious configuration issues if you do this -- the least of
which is the requirement to define two different entries in the SPD
(an ESP, tunnel mode for the traffic between H1 and H2 and an AH
transport mode for ESP traffic between SG1 and SG2).

It would be simpler, as a result, to negotiate both the AH and ESP as
a single ISAKMP proposal, AND to negotiate both with tunnel attributes.

It doesn't seem that anyone has many strong feelings either way
(especially since this isn't a requirement), but it would be nice to
have an agreement documented somewhere in the working group drafts (my
feeling is that ipsec-doi is most appropriate).  It may also be
helpful to describe this special-case use of transport mode AH by
Security Gateways as a "MAY" in the arch-sec document.


ben

Follow-Ups:

Re: ESP and AH used in tunnel mode by a Security Gateway

From: Stephen Kent <kent@bbn.com>

References:

ESP and AH used in tunnel mode by a Security Gateway

From: Stephen Waters <Stephen.Waters@digital.com>

Re: ESP and AH used in tunnel mode by a Security Gateway

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Target date and implementation ?
Next by Date: Re: Target date and implementation ?
Prev by thread: Re: ESP and AH used in tunnel mode by a Security Gateway
Next by thread: Re: ESP and AH used in tunnel mode by a Security Gateway
Index(es):
- Main
- Thread