[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: interpretation of SA bundle.



My interpretation...

> Node A sends a proposal including AH tunnel mode followed by ESP tunnel
> mode.  In this case, we should interpreted to be created IP payload by
> using this SA,
> 
> 	1. [outer IP][AH][ESP][inner IP][ULP]
> 	2. [outer IP][ESP][AH][inner IP][ULP]
> 	3. [outer IP][AH][inner IP][ESP][inner IP'][ULP]
> 	4. [outer IP][ESP][inner IP][AH][inner IP'][ULP]
> 
> Which is right ?

Assuming the proposal order as you stated: 4 (e.g. first apply
tunnel+AH, then tunnel+ESP). Note, in (1) AH and in (2) ESP is
transport mode, so they don't match your proposal anyway.

The result should depend on the ordering in the proposal? I don't know
about IKE, but I can express all of the above combinations in my
policy file, and the kernel IPSEC machinery can do them.

> Another case, Node A sends a proposal including AH transport mode followed
> by ESP tunnel mode.
> 
> 	1. [outer IP][AH][ESP][inner IP][ULP]
> 	2. [outer IP][ESP][inner IP][AH][ULP]
> 
> I think there is not these rules of interpretation in any drafts.

The case 2 (e.g. first apply AH, then tunnel+ESP). I guess the rule
should just state: apply strictly in proposed order.

-- 
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/


References: