[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IBM VPN Bakeoff Issues
On Fri, 06 Nov 1998 16:16:21 PST you wrote
> Stephen Waters wrote:
> > I think the discussion is going along the line that, if the protocols
> > headers are adjacent,
> > they are the same mode and should be declared as such in the proposal.
> >
>
> If the discussion is really going along this line, then it has gone
> wrong. AH transport wrapped around an ESP tunnel looks like this:
>
> [IP2][AH][ESP][IP1][DATA][TLR]
>
> Clearly, the AH and ESP headers are adjacent, yet the modes are
> different, and should be declared as such in the proposal.
You mean proposal_s_.
Proposing AH&ESP to protect tunneled traffic between 2 hosts is different than
proposing ESP to protect tunneled traffic between 2 hosts (STOP, seperate
negotiation) and then proposing AH to protect ESP traffic in transport mode
between the 2 gateways. You can't express the "...protect ESP traffic" part
of the AH proposal without specific client IDs which would be different than
the client IDs for the ESP traffic. Since client IDs must be consistant across
all offers they have to be seperate proposals.
Yea, I guess these two things would be constructed pretty much the same.
Weird. But they'd be processed differently and they are negotiated
differently.
(Just for the record, I'm not saying AH in transport protecting ESP in
tunnel protecting the protected packets is a good thing. In fact, I think
we're right in not requiring support for such a beast).
Dan.
Follow-Ups:
References: