[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng 7227) Re: Last Call: Mobility Support in IPv6 to Propos ed Standard



At 8:06 PM -0800 2/22/99, Richard Draves wrote:
> So are we in agreement that an IPsec-enabled node that is processing a
> routing header should do inbound & outbound IPsec processing, ...


Rich,

I've only had a chance to skim these messages, but it occurs to me that
some might be confused by your phrase "do IPsec processing", thinking
that it means "process the IPsec header(s)", when what you really mean
is "perform security policy enforcement", e.g., verify that the
packet under consideration arrived via a secure tunnel, or encapsulate
the packet in a secure tunnel for the next leg of its route, depending
on arrival/departure interface.  An IPsec header itself should never be
"processed" by anyone other than its original source and its final
destination.

Steve




References: