[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC 2401 section 5.2.1

To: henry@spsystems.net
Subject: Re: RFC 2401 section 5.2.1
From: "Shoichi 'Ne' Sakane" <sakane@ydc.co.jp>
Date: Tue, 28 Nov 2000 23:36:17 +0900
Cc: Francis.Dupont@enst-bretagne.fr, ipsec@lists.tislabs.com, mobile-ip@standards.nortelnetworks.com
In-Reply-To: Your message of "Fri, 24 Nov 2000 12:34:48 -0500 (EST)"<Pine.BSI.3.91.1001124123008.24306B-100000@spsystems.net>
References: <Pine.BSI.3.91.1001124123008.24306B-100000@spsystems.net>
Sender: owner-ipsec@lists.tislabs.com

> > ...and needed by many IPv6 protocols (cf Itojun's mail).
> That is exactly the question:  *should* those protocols be relying on the 
> quirks of AH?  It would be better if they could also work with ESP.

ESP can not protect all part of a IP packet.  Both some IP headers
in IPv6 and all IP options in IPv4 are not protected.
Most outer IP header can not be protected by ESP if you use
ESP tunnel mode to protect original IP apcket.

I believe we need AH in spite of the IP version.

/Shoichi `NE' Sakane @ KAME project/

Follow-Ups:

Re: RFC 2401 section 5.2.1

From: Henry Spencer <henry@spsystems.net>

References:

Re: RFC 2401 section 5.2.1

From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: Synchronisation in IKE
Next by Date: Re: Synchronisation in IKE
Prev by thread: Re: RFC 2401 section 5.2.1
Next by thread: Re: RFC 2401 section 5.2.1
Index(es):
- Main
- Thread