[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: transform tunnel/transport attributes

To: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>, ipsec@tis.com
Subject: RE: transform tunnel/transport attributes
From: Tim Jenkins <tjenkins@TimeStep.com>
Date: Mon, 9 Nov 1998 08:36:43 -0500
Sender: owner-ipsec@ex.tis.com

If we go this route, then we need an additional clarification
in here then: that the responder to the ANDed proposal MUST NOT
change the order of the ANDed proposals.

I say this because we saw it happen at the interoperability
workshop, and it confused the initiating implementation, since
it relied on order.

---
Tim Jenkins                       TimeStep Corporation
tjenkins@timestep.com          http://www.timestep.com
(613) 599-3610 x4304               Fax: (613) 599-3617


> -----Original Message-----
> From: Michael C. Richardson [mailto:mcr@sandelman.ottawa.on.ca]
> Sent: Monday, November 09, 1998 6:47 AM
> To: ipsec@tis.com
> Subject: Re: transform tunnel/transport attributes 
> 
> 
> 
> >>>>> "Stephen" == Stephen Waters <Stephen.Waters@digital.com> writes:
>     Stephen> "For ANDed propotals, the 'mode' MUST be the 
> same, and the
>     Stephen> protocol headers applied MUST be applied 
> adjacent to each other.
>     Stephen> If multiple proposals are required to protect a 
> packet, and they
>     Stephen> are to be applied in different modes, this is 
> achieved by using
>     Stephen> multiple Phase-2 negotiations".
> 
>   The only thing missing is whether the proposals that are in the same
> mode are to be applied inside-out, or outside-in:
> 
>  "For ANDed proposals, the 'mode' MUST be the same, and the 
> protocol headers
> applied MUST be applied adjacent to each other. The first 
> proposal describes
> the inner-most (first on 
> encryption/authentication/compression, last on
> decryption/checking/decompression) transform to be applied, 
> with the last
> proposal describing the outer most transform. If multiple 
> proposals are
> required to protect a packet, and they are to be applied in 
> different modes,
> this is achieved by using multiple Phase-2 negotiations, the
> applicability/order of them to be determined the selectors used."
> 
>    :!mcr!:            |  Network and security 
> consulting/contract programming
>    Michael Richardson |         Firewalls, TCP/IP and Unix 
> administration
>  Personal: 
> http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bi
o.html
 Corporate: http://www.sandelman.ottawa.on.ca/SSW/
	ON HUMILITY: To err is human, to moo bovine.

Prev by Date: Re: transform tunnel/transport attributes
Next by Date: Re: IBM VPN Bakeoff Issues
Prev by thread: Re: transform tunnel/transport attributes
Next by thread: Re: transform tunnel/transport attributes
Index(es):
- Main
- Thread