[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AH as a Transport protocol
Scott,
>Dan McDonald wrote:
>>
>> While not listed in 2401 explicitly, couldn't one use ICMP/ICMPv6 type and
>> code as a selector for a security association? The implementation wouldn't
>> be that tough; just overload the already-there port fields for type and
code.
>
> Scott G. Kelly wrote:
>
>...or generalize the port fields into some sort of protocol-specific
>selectors or something. That way, we could use type/code for icmp, SPI
>for esp/ah, etc...
^^^
Your E-mail reminds me of an issue I wondered about a while
back. RFC-2401 seems to indicate that AH is not a
transport protocol, and then if an AH is encountered, the IP
header should be parsed further until either a transport protocol
or an ESP header is located.
However I can see it being useful to be able to use PROTOCOL=AH in the SPD
to check that traffic is authenticated, but I realize that there is a
conflict in permitting this and looking for the "real" transport protocol.
Would anyone like to comment on what some real VPN products do ?
Thanks,
Fergus Fletcher
Follow-Ups:
References: