[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: transform tunnel/transport attributes
The order of offer in IKE shouldn't matter. If they're negotiated in
a bundle we do PCP before ESP before AH regardless of how they appear
in the offered bundle. If you negotiated ESP to protect AH traffic
between SGs (for traffic analysis protection for instance) and that AH
traffic protected some transient traffic to which PCP was also applied
you could get |IP|ESP|AH|PCP|IP|data| crossing the wire but then it's two
separate negotiations and the bundle is AH&PCP and you still do PCP
before AH.
Dan.
On Tue, 10 Nov 1998 16:09:06 +0530 you wrote
>
> On Mon, 9 Nov 1998, Michael C. Richardson wrote:
>
> > The only thing missing is whether the proposals that are in the same
> > mode are to be applied inside-out, or outside-in:
> >
> > "For ANDed proposals, the 'mode' MUST be the same, and the protocol header
>s
> > applied MUST be applied adjacent to each other. The first proposal describe
>s
> > the inner-most (first on encryption/authentication/compression, last on
> > decryption/checking/decompression) transform to be applied, with the last
> > proposal describing the outer most transform. If multiple proposals are
> > required to protect a packet, and they are to be applied in different modes
>,
> > this is achieved by using multiple Phase-2 negotiations, the
> > applicability/order of them to be determined the selectors used."
>
> What is the order currently implemented by most implementations? If you
> see the second example in the ISAKMP draft on pages 49-50, the first
> protocol is AH and the second ESP. This seemed to indicate that the order
> of the protocols is outer to inner rather than inner to outer, since the
> supported combination is AH ESP. It seems more intuitive to interpret the
> order in the way it appears in a processed packet - outer to inner.
>
> Anupama
References: