Re: IBM VPN Bakeoff Issues

["Scott G. Kelly" <skelly@redcreek.com>]

Hi Steve,

Stephen Kent wrote:
>
> Transport mode is used between two IP processing endpoints, mot
> intetrmediate processing points, so one would not use AH in transport mode
> between two SGs, and thus the combination you descibe is not valid, under
> the current architecture. Remember, the differences between tunnel and
> transport mode affect the checking performed on IP headers, not just the
> question of what is the next protocol field.  When AH is used in transport
> mode, the IP header it encapsulates is the one checked against the SPD.  Is
> that really what you want here?
> 

As for the desired effect, why else would we apply AH to an encapsulated
packet? See the related thread for the rest of the discussion on this
topic. I think that given the current language, I *can* wrap an AH
transport mode SA around an ESP tunnel between 2 gateways. I've tossed
out the notion that ESP is a transport protocol which the SGWs
terminate, meaning a transport-mode SA applied to this traffic is
reasonable. I remain open to further discussion on this point, as it has
important implications.

> >I recognize all too well how these restrictions would simplify
> >processing, but don't think that makes for a good reason to modify the
> >spec.
> 
> I'm not talking about modifying the spec. <trimmed...>

Right. That comment wasn't aimed at you, but rather at the earlier
discussion about adding new protocol numbers for every SA bundle
combination we can think of. Sorry, I didn't mean to muddle things.

Scott

---

References:

• RE: IBM VPN Bakeoff Issues
• From: Stephen Kent <kent@bbn.com>
• Re: IBM VPN Bakeoff Issues
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: Re: IBM VPN Bakeoff Issues
• Next by Date: A question about XAUTH
• Prev by thread: Re: IBM VPN Bakeoff Issues
• Next by thread: RE: IBM VPN Bakeoff Issues
• Index(es):
  • Main
  • Thread