[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IBM VPN Bakeoff Issues
This has been discussed before. There was a whole "ESP and AH used
in tunnel mode by a Security Gateway" thread back in July. In that
thread I noted that we were discussing something that was discussed
back in May when the issue was ESP and IPPCP.
What was agreed to back then was that for a _security gateway_, any
transit traffic MUST be in tunnel mode so that in IP AH ESP IP <foo>
both AH and ESP would be in tunnel mode. Steve Kent noted that this
is not required by the Arch Doc (but I guess it's not forbidden
either). So if that's the way a security gateway negotiates it why
would we want to do something different for an end host? Aren't these
things complicated enough?
Dan.
On Fri, 06 Nov 1998 08:34:07 PST you wrote
> > If your saying 'IKE proposal ordering should have no
> > signficance', I agree.
>
> I think it should have significance.
>
> > I think it would also make sense to say that all 'AND'
> > proposals are the same mode (tunnel or transport)
> > and MUST be adjacent and in performed on the data in the
> > 'right' order (IPCOMP,ESP,AH)
> > and appear in the packet in that order (building outwards).
> >
> > Of the AH+ESP test we did last week, I had no problems with
> > AH+ESP in transport mode, but
> > our interpretation of AH-tunnel AND ESP-tunnel was different
> > from another vendors. We thought it
> > should be 'IP AH ESP IP upper', and they thought it should be
> > 'IP AH IP ESP IP upper'.
>
> I agree with "they". If you want to specify "IP AH ESP IP upper", then ask
> for AH-transport AND ESP-tunnel.
>
> Rich
Follow-Ups:
References: