AH as a Transport protocol

[fletcher@cylink.com (Fergus Fletcher)]

Scott,

>Dan McDonald wrote:
>> 
>> While not listed in 2401 explicitly, couldn't one use ICMP/ICMPv6 type and
>> code as a selector for a security association?  The implementation wouldn't
>> be that tough; just overload the already-there port fields for type and
code.
>
> Scott G. Kelly wrote:
>
>...or generalize the port fields into some sort of protocol-specific
>selectors or something. That way, we could use type/code for icmp, SPI
>for esp/ah, etc...
         ^^^

Your E-mail reminds me of an issue I wondered about a while
back. RFC-2401 seems to indicate that AH is not a
transport protocol, and then if an AH is encountered, the IP
header should be parsed further until either a transport protocol
or an ESP header is located.

However I can see it being useful to be able to use PROTOCOL=AH in the SPD
to check that traffic is authenticated, but I realize that there is a 
conflict in permitting this and looking for the "real" transport protocol. 

Would anyone like to comment on what some real VPN products do ?

Thanks, 

Fergus Fletcher

---

Follow-Ups:

• Re: AH as a Transport protocol
• From: "Scott G. Kelly" <skelly@redcreek.com>

References:

• ICMP{,v6} type/code as a selector...
• From: Dan McDonald <danmcd@Eng.Sun.Com>
• Re: ICMP{,v6} type/code as a selector...
• From: "Scott G. Kelly" <skelly@redcreek.com>

---

• Prev by Date: Re: Query on draft-ietf-ipsec-pki-req-03.txt
• Next by Date: Re: PKIX Profile for IKE - CA Certificates & IKE Identification Certificates
• Prev by thread: Re: ICMP{,v6} type/code as a selector...
• Next by thread: Re: AH as a Transport protocol
• Index(es):
  • Main
  • Thread