[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH as a Transport protocol

To: Fergus Fletcher <fletcher@cylink.com>
Subject: Re: AH as a Transport protocol
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Tue, 26 Oct 1999 08:47:48 -0700
CC: Dan McDonald <danmcd@Eng.Sun.Com>, ipsec@lists.tislabs.com
Organization: RedCreek Communications
References: <199910220609.XAA05952@kebe.Eng.Sun.COM> <3.0.5.32.19991025233149.0108c7b0@10.1.10.20>
Sender: owner-ipsec@lists.tislabs.com

Fergus Fletcher wrote:

<trimmed...>

> Your E-mail reminds me of an issue I wondered about a while
> back. RFC-2401 seems to indicate that AH is not a
> transport protocol, and then if an AH is encountered, the IP
> header should be parsed further until either a transport protocol
> or an ESP header is located.
> 
> However I can see it being useful to be able to use PROTOCOL=AH in the SPD
> to check that traffic is authenticated, but I realize that there is a
> conflict in permitting this and looking for the "real" transport protocol.
> 
> Would anyone like to comment on what some real VPN products do ?
> 

I've opined on this in the past: while I believe that AH more closely
resembles IP options than a transport protocol (whereas ESP looks like a
transport protocol to me), I too think these protocols should be (and
are) valid selectors. The problem is, we don't yet have
protocol-specific selectors defined for anything other than TCP/UDP. I
think Steve Kent has invited us to spell out the requirements we
envision for other protocols. Taking that bait, I'll offer local/remote
SPIs for ESP/AH.

Scott

References:

ICMP{,v6} type/code as a selector...

From: Dan McDonald <danmcd@Eng.Sun.Com>

AH as a Transport protocol

From: fletcher@cylink.com (Fergus Fletcher)

Prev by Date: Re: Comments on CRACK
Next by Date: RE: Comments on CRACK
Prev by thread: AH as a Transport protocol
Next by thread: I-D ACTION:draft-keromytis-ipsp-arch-00.txt
Index(es):
- Main
- Thread