[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: A question on IPsec AH in IPv6
Dan,
>
> Dan McDonald wrote:
> <SNIP!>
> > I was trying to figure out what the ramifications are
> > with the destination options headers being before or after
> > the AH header. Is anyone aware of any specific requirement
> > for the destination options to be AFTER the AH header?
>
> Typically you want the destination options to be after the AH header if only
> the final endpoint of a datagram needs to see the options.
>
> Destination options that fall before AH are intended (I believe) to also fall
> before the routing header, such that explicitly named nodes in the routing
> header also process the destination options.
What do you mean by routing header?... are you speaking about hop-by-hop
routing headers, or the Outer Tunnel Header of IPsec? (I assume you mean
hop-by-hop routing.)
>
> This also means that the intermediate routing-header-specified nodes process
> unauthenticated options, as routers process unauthenticated hop-by-hop
> options. Only the ultimate destination can process authenticatable options
> after AH computation.
AH authenticates all extension headers that are not mutable, so the
destination options are authenticated regardless of position (unless
of course they are a mutable option, in which case they're NOT authenciated,
regardless of position.)
Bob
References: