RE: IBM VPN Bakeoff Issues

[Stephen Waters <Stephen.Waters@digital.com>]

>> If we consider that a fixed order is assumed, and that we will never
>> support ESP and ESP, there are only 4 kinds of bundles possible:
>> IPCOMP+ESP, IPCOMP+AH, ESP+AH, and IPCOMP+ESP+AH.

>I do not agree with this; maybe its just mixed terminology again.
>I thought that a "bundle" was a set of SAs that were all applied to
>a packet in a single security gateway, originating (or terminating).
>If that definition is correct, it does not say anything about the
>other end of those SAs having to terminate (or originate) at a
>single security gateway.  Thus one can certainly have an ESP + ESP
>"bundle", etc. (both originating at SG1 and one terminating at SG2
>and the other at SG3).

I think we are talking about 'adjacencies' here, and adjacent headers are
always
stripped by the same source/dest pair.  You can have ESP+ESP, but not as 
adjacent headers.  If SG1 wants to send ESP to SG2 and SG3, it would need:

[IP1-SG2][ESP1][IP2-SG3][ESP2][the rest].

How else could SG2 strip ESP1 and then forward the packet to SG3 to do the
same?

The architecture only talks about adjacencies for transport mode - although
I don't see
the need to restrict it to transport mode,  this is a useful example:  if
the protocols are adjacent,
they must be added/stripped by the same pair since the encapsulating IP
header applies to them
all.

Steve.

---

• Prev by Date: RE: IBM VPN Bakeoff Issues
• Next by Date: IKE vs ISAKMP/Oakley
• Prev by thread: Re: IBM VPN Bakeoff Issues
• Next by thread: RE: IBM VPN Bakeoff Issues
• Index(es):
  • Main
  • Thread