[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why can't ESP authenticate IP header?
Title: Re: Why can't ESP authenticate IP
header?
At 9:31 AM +0530 9/24/01, lokesh wrote:
Stephan,
Thanks for
answer, you said making ESP always cover parts of IP header will
create problems in many instances.
may I know
what are those?
Thanks
Lokesh
As noted, ESP coverage of selected header fields would increase
complexity and reduce performance. It also would create even more
circumstances where NAT could interfere with IPsec use. Today, using
ESP in tunnel mode can be made to work with NAT, but if the outer S/D
IP addresses were covered, that capability (I hesitate to call it a
feature) would go away.
Steve
Follow-Ups:
References: