Re: ESP and AH used in tunnel mode by a Security Gateway

[Ben Rogers <ben@ascend.com>]

Steve,

Stephen Waters <Stephen.Waters@digital.com> writes:

> 	Ben,
> 
> 	Having slept on this, I think I'm going to take a slightly different
> approach for the sake of the 
> 	sanity of the folk configuring IPSEC.
> 
> 	Since [IP AH IP ESP IP DATA] isn't of much use,  my configuration
> tool asks if a given policy
> 	will apply tunnel OR transport mode.  If for a tunnel mode policy,
> both ESP and AH are specified,
> 	I will interpret that as meaning  [IP AH ESP IP DATA]  - I don't
> really want to have to explain in
> 	the documentation that if you want a tunnel to be protected with ESP
> and AH, ESP needs to be
> 	specified as tunnel-mode and AH as transport mode!

This is exactly the approach that I would recommend taking.  There is
no need to make things difficult on the user (unless you get a
sadistic thrill from taunting them...).

> 	If this means I'll have to play tricks at the IKE API, then I'll
> live with that.

I guess this depends on who designed your API and how forward-looking
they were.  I'm more concerned about what will get passed on the wire,
and hope that we can agree to a combined proposal with both AH and ESP
having tunnel attributes.

> 	Sound reasonable?

Sure.


ben

---

References:

• RE: ESP and AH used in tunnel mode by a Security Gateway
• From: Stephen Waters <Stephen.Waters@digital.com>

---

• Prev by Date: RE: ESP and AH used in tunnel mode by a Security Gateway
• Next by Date: key processing for manual and dynamic SA
• Prev by thread: RE: ESP and AH used in tunnel mode by a Security Gateway
• Next by thread: RE: ESP and AH used in tunnel mode by a Security Gateway
• Index(es):
  • Main
  • Thread