[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: minor inconsistency in arch doc (maybe)

To: "Scott G. Kelly" <skelly@redcreek.com>
Subject: Re: minor inconsistency in arch doc (maybe)
From: Charles Lynn <clynn@bbn.com>
Date: Wed, 4 Nov 98 10:16:13 EST
cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

Scott,

> I've always been under the impression that it is reasonable to use
> ESP/AH in this field, and in fact, this permits configuration of nested
> SAs, perhaps with different endpoints.

Yes, I agree with that, too.  I think that the "problem" arises from the
ambiguity of the term "Transport Layer Protocol".  In a sense, ESP is a
transport layer protocol (to the closest preceeding IP header), but AH
isn't.  As the concepts become more complex, the simple terminology that
was previously clear may not keep up with our more refined concepts.
	(For example, is a security gateway a "Host" or a "Router"?
	 If a "Host", it MUST NOT forward packets not addressed to itself.
	 If a "Router", it MUST run routing protocols and conform to
	 Router Requirements.  I think a SG or firewall may be neither.)

> Is the confusion here due to IPv4 vs IPv6 differences, or what?
I do not think so.

When I read the text you cited, from an implementor's perspective, what I
see is a warning.  The field in a packet corredsponding to "Transport Layer
Protocol" is no longer a simple object to find.  It may be in the IPv?
header, or it may be in one of possibly several extension headers (note
both that anything the implementation does not "understand" becomes a
transport protocol, and that some folks are using "extension headers" in
IPv4, and not just AH).  So when the code to find the field is written, it
may have to be called several times to check successive places in a packet
(returning "OPAQUE" when it cannot find any more), or the function may
return a list of values, depending on how one implements things.

At one point (if I remember correctly :-), there was another selector that
tried to distinguish between "Transport Layer Protocol" and extension
headers.  It was removed, maybe because it made things "too complex".
The complexity does not go away, it just permutes into a different form.

Does this correspond to your understanding of what is needed to support the
types of policies we need?  Do you have any suggestions for clearer text?

Charlie

Prev by Date: Re: Selection of proposals
Next by Date: IBM VPN Bakeoff Issues
Prev by thread: Re: minor inconsistency in arch doc (maybe)
Next by thread: Re: minor inconsistency in arch doc (maybe)
Index(es):
- Main
- Thread