minor inconsistency in arch doc (maybe)

["Scott G. Kelly" <skelly@redcreek.com>]

Just running back through the arch doc when I became a bit confused
about something - maybe someone can help me out here. In section 4.4.2
(selectors), it says in part, 

'- Transport Layer Protocol: Obtained from the IPv4 "Protocol" or the
IPv6 "Next Header" fields. This may be an individual protocol number.
These packet fields may not contain the Transport Protocol due to the
presence of IP extension headers, e.g., a Routing Header, AH, ESP,
Fragmentation Header, Destination Options, Hop-by-Hop options, etc. Note
that the Transport Protocol may not be available in the case of receipt
of a packet with an ESP header, thus a value of "OPAQUE" SHOULD be
supported.'

I've always been under the impression that it is reasonable to use
ESP/AH in this field, and in fact, this permits configuration of nested
SAs, perhaps with different endpoints. The text seems to imply that this
is inappropriate, but I don't think that's what is really meant. Earlier
(section 4.4.1, last paragraph), explicit reference is made to using ESP
as a selector for a discard action:

'Note that a security gateway could prohibit traversal of encrypted
packets in various ways, e.g., having a DISCARD entry int he SPD for ESP
packets or providing proxy key exchange.'

Is the confusion here due to IPv4 vs IPv6 differences, or what?

---

Follow-Ups:

• Re: minor inconsistency in arch doc (maybe)
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: No Subject
• Next by Date: Re: Selection of proposals
• Prev by thread: No Subject
• Next by thread: Re: minor inconsistency in arch doc (maybe)
• Index(es):
  • Main
  • Thread