[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Two issues: AH death, and SA identification




> >Why would you need a new protocol number if you changed this? "On the
> >wire" format for IPSEC AH and ESP packets would not change at all.
> 
> The protocol is more than the format of bits on the wire; it also 
> encompasses the processing at seder and receiver. So, if these 
> changes affect that processing, it's not the same protocol.

When I say "on the wire format doesn't change", I also intended to
include: a change in processing on one end doesn't affect the
processing on the other end.

The avoid further confusions, what is the proper term to express this
condition? Just say "change is internal implementation issue"?

The processing of incoming SA and destination address is exactly such
"internal implementation decision".  => My conclusion: no new protocol
number for ESP/AH is required.

HOWEVER, I did say that such change probably would change the IKE
negotiations. But, that is a different protocol.

The tunnel vs. transport mode is related issue. As coded, a "tunnel
mode" is just "transport mode applied to IP tunnel" (even though, the
tunnel wrap/unwrap is also done within IPSEC) . Again, using my above
definition, this is "internal implementation issue".

-- 
Markku Savela <Markku.Savela@iki.fi>



Follow-Ups: References: