[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IBM VPN Bakeoff Issues

To: Richard Draves <richdr@microsoft.com>
Subject: RE: IBM VPN Bakeoff Issues
From: Stephen Waters <Stephen.Waters@digital.com>
Date: Fri, 6 Nov 1998 10:17:43 -0000
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com


> Yes, a point that was not raised at the workshop.  We did a 
> test with AH+ESP
>> in tunnel mode. We took this to mean AH+ESP adjacent with a 
>> shared tunnel
>> header.  The other vendor took this to mean 
>> IP1+AH+IP2+ESP+IP3.  There was
>> some agreement that a proposal that offered AH-tunnel AND 
>> ESP-tunnel should
>> mean a shared tunnel-header, but maybe we need more text somewhere.
>
>Maybe I'm not understanding this. Looking at the four possible
combinations,
>this is my understanding of how transport & tunnel mode combine:

>AH-transport + ESP-transport:
>	IP1 AH ESP transport
>AH-transport + ESP-tunnel:
>	IP1 AH ESP IP2 transport
>AH-tunnel + ESP-transport:
>	IP1 AH IP2 ESP transport
>AH-tunnel + ESP-tunnel:
>	IP1 AH IP2 ESP IP3 transport
>
>Rich


I think the discussion is going along the line that, if the protocols
headers are adjacent,
they are the same mode and should be declared as such in the proposal.

There is room for confusion both ways, but we need to agree on one
interpretation (or
just cope with different interpretations). For example,
AH-transport+ESP-tunnel could be 
interpreted as IP2 ESP IP1 AH transport.  To me, if I am tunneling a packet
and, for some
reason want to protect it with AH+ESP, I don't want to add two IP-tunnel
headers and it seems
more 'logical' to call both tunnel-mode (since I did not originate the
packet and the protection header
is not adjacent to a transport protocol (as in the normal transport case).

For me, the only reason to do 'IP3 AH IP2 ESP IP1 transport' would be if IP3
and IP2 had different 
source or destination address, and in that case, it is more of a
policy-bundle where multiple SAs are
established to different hosts (usually) with different main/quick mode
exchanges. 

For SA-bundles of adjacent AH and ESP, there are only useful options:
AH-transport,ESP-transport,
(IP1 AH ESP transport) and AH-tunnel,ESP-tunnel ( IP2 AH ESP IP1 transport).

If I wanted to build IP3 AH IP2 ESP IP1 transport, I would expect to do one
main/quick mode exchange 
with IP2 to agree on an ESP tunnel, and then another main/quick mode with
IP3 for an AH tunnel (they would
probably get requested in the opposite order, but that would be the order
they 'came up').

Cheers, Steve.

Follow-Ups:

Re: IBM VPN Bakeoff Issues

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: RE: IBM VPN Bakeoff Issues
Next by Date: RE:
Prev by thread: Re: IBM VPN Bakeoff Issues
Next by thread: Re: IBM VPN Bakeoff Issues
Index(es):
- Main
- Thread