[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ESP and AH questions
At 9:56 PM -0400 9/19/01, john ipsec wrote:
>(Sorry, if this topic had been discussed before. Is there an FAQ?)
>
>Questions:
>
>1. In the tunnel mode, what is the value for the next-header field?
>The next-header seems to be the original IP header (unlike in the
>transport mode, the next-header is the "transport protocol" header).
The outer IP header should contain a Next Protocol value for AH or
ESP, and then AH or ESP should contain IP as the Next Protocol value
within these IPsec protocols.
>
>2. The ESP header and trailer do not specify the size of the
>"Authentication Data," unlike the AH. It uses SA to deduce the size
>of the Authentication Data (if present). If so, why AH cannot use SA
>to deduce the size of the Authentication Data field?
AH carries a total length field to allow an intermediary to skip over
it when used in the IPv6 context, i.e., when it is viewed as an
extension header.
Steve
References: