[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IBM VPN Bakeoff Issues
Steve
>
>Yes, a point that was not raised at the workshop. We did a test with AH+ESP
>in tunnel mode. We took this to mean AH+ESP adjacent with a shared tunnel
>header. The other vendor took this to mean IP1+AH+IP2+ESP+IP3. There was
>some agreement that a proposal that offered AH-tunnel AND ESP-tunnel should
>mean a shared tunnel-header, but maybe we need more text somewhere.
As I have mentioned in other recent messages, there was an explicit
decision to not support the cominnation of AH +ESP in tunnel mode, as
opposed to transport mode. It was seen as redundant. Thus I would agree
with the other vendor's interpretation.
>> Therefore, for the current version version of IPSec, make the following
>statements:
>
>> 1) The order of application of services, from inner header to outer, MUST
>be IPCOMP, ESP and AH when more than one
>> service is present.
Already true for transport mode, not needed for tunnel, unless there is a
change of heart about the previous decision.
>> 2) The encapsulation mode of all services offered MUST match that
>encapsulation mode of the bundle as a whole.
Well, remember that a bundle can apply to traffic terminating at two
different endpoints, specifically the required combination of a tunnel SA
to an SG with a transport SA to a host behind the SG.
>> 3) The order of the services in the ANDed offer is not required to be any
>particular order. Responders may change the
>
>>order when selecting the bundle.
>
>> 4) The entire bundle expires when any one of the services within the
>bundle expires.
>[[SW]] and IPCOMP MUST be accompanied by a security protocol.
See note above about bundles with only one common endpoint.
Steve
Follow-Ups:
References: