[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: A question on IPsec AH in IPv6

To: "Dan McDonald" <danmcd@Eng.Sun.COM>
Subject: RE: A question on IPsec AH in IPv6
From: "Bob Doud" <bdoud@ire-ma.com>
Date: Mon, 10 Jan 2000 13:19:24 -0500
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <200001072343.PAA24506@kebe.eng.sun.com>
Sender: owner-ipsec@lists.tislabs.com

Dan,

> 
> Dan McDonald wrote:
> <SNIP!>
> > I was trying to figure out what the ramifications are 
> > with the destination options headers being before or after 
> > the AH header.  Is anyone aware of any specific requirement
> > for the destination options to be AFTER the AH header?
> 
> Typically you want the destination options to be after the AH header if only
> the final endpoint of a datagram needs to see the options.
> 
> Destination options that fall before AH are intended (I believe) to also fall
> before the routing header, such that explicitly named nodes in the routing
> header also process the destination options.

What do you mean by routing header?... are you speaking about hop-by-hop
routing headers, or the Outer Tunnel Header of IPsec?  (I assume you mean
hop-by-hop routing.)

> 
> This also means that the intermediate routing-header-specified nodes process
> unauthenticated options, as routers process unauthenticated hop-by-hop
> options.  Only the ultimate destination can process authenticatable options
> after AH computation.

AH authenticates all extension headers that are not mutable, so the
destination options are authenticated regardless of position (unless
of course they are a mutable option, in which case they're NOT authenciated,
regardless of position.)
 
Bob

References:

Re: A question on IPsec AH in IPv6

From: Dan McDonald <danmcd@Eng.Sun.COM>

Prev by Date: Re: A question on IPsec AH in IPv6
Next by Date: Dangerous Curves
Prev by thread: Re: A question on IPsec AH in IPv6
Next by thread: Dangerous Curves
Index(es):
- Main
- Thread