[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

interpretation of "encapsulation mode" attribute

To: ipsec@lists.tislabs.com
Subject: interpretation of "encapsulation mode" attribute
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
Date: Fri, 14 Jan 2000 12:23:47 -0800
Sender: owner-ipsec@lists.tislabs.com

	Sorry if it is dumb question...

	RFC2407 page 14 has "Encapsulation mode" attribute for phase 2.
	However, interpretation of "tunnel", especially when we have multiple
	protocols mixed in, is totally unclear to me.  I saw difference in
	interpretation with other implementations.

	I think we all agree that the following is "IP ESP AH payload".
		proposal 1: transform ESP, transport
		proposal 1: transform AH, transport

	What if, you get:
		proposal 1: transform ESP, tunnel
		proposal 1: transform AH, tunnel
	would you expect packet like "IP ESP AH payload", or
	"IP ESP IP AH payload"?

	How about
		proposal 1: transform ESP, tunnel
		proposal 1: transform AH, transport
	or
		proposal 1: transform ESP, transport
		proposal 1: transform AH, tunnel
	We can interpret the former as "IP ESP IP AH payload",
	and the latter as "IP ESP AH IP payload", if we regard "tunnel"
	as "attach IP packet and add IPsec header", and use the list of
	transform ordered backwards, like this:
		IP payload  
		  v AH tunnel (encapsulate, then insert AH)
		IP AH IP payload
		  v ESP transport (insert ESP)
		IP ESP AH IP payload

	Of course you can iterate more protocols to incrase confusion.

	Is there any agreement on interpretation?   If so, please let me know
	and can we have more explicit wording in future revisions?

itojun

Prev by Date: Re: Deflate issue
Next by Date: RE: Deflate issue
Prev by thread: Re: Deflate issue
Next by thread: VPN bakeoff - IPComp Group Meeting minutes
Index(es):
- Main
- Thread