[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ESP and AH questions



At 9:56 PM -0400 9/19/01, john ipsec wrote:
>(Sorry, if this topic had been discussed before. Is there an FAQ?)
>
>Questions:
>
>1. In the tunnel mode, what is the value for the next-header field? 
>The next-header seems to be the original IP header (unlike in the 
>transport mode, the next-header is the "transport protocol" header).

The outer IP header should contain a Next Protocol value for AH or 
ESP, and then AH or ESP should contain IP as the Next Protocol value 
within these IPsec protocols.

>
>2. The ESP header and trailer do not specify the size of the 
>"Authentication Data," unlike the AH. It uses SA to deduce the size 
>of the Authentication Data (if present). If so, why AH cannot use SA 
>to deduce the size of the Authentication Data field?

AH carries a total length field to allow an intermediary to skip over 
it when used in the IPv6 context, i.e., when it is viewed as an 
extension header.

Steve


References: