[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why can't ESP authenticate IP header?

To: "lokesh" <lokeshnb@intotoinc.com>
Subject: Re: Why can't ESP authenticate IP header?
From: Stephen Kent <kent@bbn.com>
Date: Mon, 24 Sep 2001 10:08:54 -0400
Cc: <ipsec@lists.tislabs.com>
In-Reply-To: <002501c144ad$97b902c0$ae0510ac@roc.com>
References: <73D3E97F639DD5119642000347055F0581620B@G9JNS.mgb01.telekom.de><005701c1429d$97f81080$ae0510ac@roc.com> <p05010411b7d15128fbc2@[128.33.84.34]><002501c144ad$97b902c0$ae0510ac@roc.com>
Sender: owner-ipsec@lists.tislabs.com

Title: Re: Why can't ESP authenticate IP header?

At 9:31 AM +0530 9/24/01, lokesh wrote:

Stephan,

Thanks for answer, you said making ESP always cover parts of IP header will create problems in many instances.

may I know what are those?

Thanks

Lokesh

As noted, ESP coverage of selected header fields would increase complexity and reduce performance. It also would create even more circumstances where NAT could interfere with IPsec use. Today, using ESP in tunnel mode can be made to work with NAT, but if the outer S/D IP addresses were covered, that capability (I hesitate to call it a feature) would go away.

Steve

Follow-Ups:

Re: Why can't ESP authenticate IP header?

From: "lokesh" <lokeshnb@intotoinc.com>

References:

AW: Why can't ESP authenticate IP header?

From: "Scheffler, Thomas" <Thomas.Scheffler@t-systems.de>

Re: Why can't ESP authenticate IP header?

From: "lokesh" <lokeshnb@intotoinc.com>

Re: Why can't ESP authenticate IP header?

From: Stephen Kent <kent@bbn.com>

Re: Why can't ESP authenticate IP header?

From: "lokesh" <lokeshnb@intotoinc.com>

Prev by Date: Re: Why can't ESP authenticate IP header?
Next by Date: Re: Why can't ESP authenticate IP header?
Prev by thread: Re: Why can't ESP authenticate IP header?
Next by thread: Re: Why can't ESP authenticate IP header?
Index(es):
- Main
- Thread