[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSec interop question



I am implementing IPSec in IPv6.  We are ready to do some interoperability
testing of our IPSec and ran across this issue.

The AH document (RFC 2402) states the following:

3.3  Outbound Packet Processing
    ...
  For simplicity of processing, each IPsec header
   SHOULD ignore the existence (i.e., not zero the contents or try to
   predict the contents) of IPsec headers to be applied later.
 ...

The SHOULD means one vendor may not interoperate with another.  Why isn't
this SHOULD a MUST?  That would mean that any combination would work, right?
I know this doesn't affect the required combos since AH is after ESP
(IP_AH_ESP_DATA).  "After" means it occurs closer to the IP header.  However
for IP_ESP_AH_DATA, why SHOULD I ignore the ESP header?  You have to predict
everything anyway for AH.  And the ESP header is quite simple (as is AH)
compared to the other IPv6 extension headers.

And why say, "For simplicity of processing?"  It is not necessarily simpler
to ignore them if you want to authenticate the entire packet without having
to worry that other security extension headers may exist after the AH header
(at least on the send side).  The issue here should be interoperating not
simplicity.

On the receive side, you can't throw away the extension headers because you
many need them to do the AH authentication.  Which means you may want to
save the IPSec extension headers if you are not ignoring them.

So since this is a SHOULD I want to try and get a consensus of what
implementations do, be they IPv4 or IPv6.  Are there any implementations
that do not ignore IPSec headers that come after an AH header?  Do most
implementations just do the required IPSec combos and not worry about this?

Thanks,

Aaron



Follow-Ups: