[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: interpretation of SA bundle.
My interpretation...
> Node A sends a proposal including AH tunnel mode followed by ESP tunnel
> mode. In this case, we should interpreted to be created IP payload by
> using this SA,
>
> 1. [outer IP][AH][ESP][inner IP][ULP]
> 2. [outer IP][ESP][AH][inner IP][ULP]
> 3. [outer IP][AH][inner IP][ESP][inner IP'][ULP]
> 4. [outer IP][ESP][inner IP][AH][inner IP'][ULP]
>
> Which is right ?
Assuming the proposal order as you stated: 4 (e.g. first apply
tunnel+AH, then tunnel+ESP). Note, in (1) AH and in (2) ESP is
transport mode, so they don't match your proposal anyway.
The result should depend on the ordering in the proposal? I don't know
about IKE, but I can express all of the above combinations in my
policy file, and the kernel IPSEC machinery can do them.
> Another case, Node A sends a proposal including AH transport mode followed
> by ESP tunnel mode.
>
> 1. [outer IP][AH][ESP][inner IP][ULP]
> 2. [outer IP][ESP][inner IP][AH][ULP]
>
> I think there is not these rules of interpretation in any drafts.
The case 2 (e.g. first apply AH, then tunnel+ESP). I guess the rule
should just state: apply strictly in proposed order.
--
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/
References: