[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AH as a Transport protocol
Fergus Fletcher wrote:
<trimmed...>
> Your E-mail reminds me of an issue I wondered about a while
> back. RFC-2401 seems to indicate that AH is not a
> transport protocol, and then if an AH is encountered, the IP
> header should be parsed further until either a transport protocol
> or an ESP header is located.
>
> However I can see it being useful to be able to use PROTOCOL=AH in the SPD
> to check that traffic is authenticated, but I realize that there is a
> conflict in permitting this and looking for the "real" transport protocol.
>
> Would anyone like to comment on what some real VPN products do ?
>
I've opined on this in the past: while I believe that AH more closely
resembles IP options than a transport protocol (whereas ESP looks like a
transport protocol to me), I too think these protocols should be (and
are) valid selectors. The problem is, we don't yet have
protocol-specific selectors defined for anything other than TCP/UDP. I
think Steve Kent has invited us to spell out the requirements we
envision for other protocols. Taking that bait, I'll offer local/remote
SPIs for ESP/AH.
Scott
References: