[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IBM VPN Bakeoff Issues

To: Richard Draves <richdr@microsoft.com>
Subject: Re: IBM VPN Bakeoff Issues
From: Daniel Harkins <dharkins@cisco.com>
Date: Fri, 06 Nov 1998 17:55:23 -0800
cc: "Scott G. Kelly" <skelly@redcreek.com>, Stephen Waters <Stephen.Waters@digital.com>, ipsec@tis.com
In-reply-to: Your message of "Fri, 06 Nov 1998 17:38:24 PST." <4D0A23B3F74DD111ACCD00805F31D8100AF81630@RED-MSG-50>
Sender: owner-ipsec@ex.tis.com

  Not with IKE. What you're asking for is AH protecting ESP protecting
foo. To clarify the AH offer (that it's for ESP) you need client IDs
that say "This offer applies to protocol 50". To clarify the ESP offer
(that it's for foo) you also need client IDs that say "This offer applies
to foo". You can't express all that together in one offer. The same goes
for PFS. If you want group 5 for ESP and group 1 for AH you can't do it
all in one offer. It has to be separate.

  Dan.

On Fri, 06 Nov 1998 17:38:24 PST you wrote
> 
> Suppose someone in the future, for some reason we don't understand now,
> wants to use AH transport wrapped around ESP tunnel, directly between two
> hosts? Could this be negotiated with one proposal asking for AH-transport +
> ESP-tunnel?
> 
> Rich

References:

RE: IBM VPN Bakeoff Issues

From: Richard Draves <richdr@microsoft.com>

Prev by Date: RE: IBM VPN Bakeoff Issues
Next by Date: Re: IBM VPN Bakeoff Issues
Prev by thread: RE: IBM VPN Bakeoff Issues
Next by thread: Re: Comments on draft-ietf-ipsec-pki-req-01.txt
Index(es):
- Main
- Thread