Re: AH and mutable fields, how deep to look?

[Dan McDonald <danmcd@east.sun.com>]

> With following
> 
>    IP Ext.-Headers1 AH Ext.-Headers2 ...
> 
> TAHI test assumes that the "mutable field" processing is also done for the
> Ext.Headers2.  I always had the misconception(?), and my implementation
> also has it, that the payload after AH is treated as opaque bits, and
> immutable.
> 
> I find my interpretation, of course, saner (and simpler). However, AH
> RFC seems to support TAHI's interpretation (at least the ASCII
> graphics).

We do the same in Solaris in that we treat a post-AH header as opaque.  It
makes sense from a parsing point of view and it gives the forwarding path
a clear stopping point (i.e. stop at AH as you would TCP, UDP, or ESP).

> If my interpretation is wrong, then the followup question is: how deep
> you are supposed to scan? Say,
> 
>    IP ext1 AH ext2 IP-tunnel ext3 ...etc..
> 
> Then, an unknown (to the SG) extension header inside ext3 would
> totally unnecessarily break the IPSEC...

If we're supposed to behave like TAHI, then the first inner-IP you hit in
this case is where you stop.

Ambiguous situations like this, BTW, are why I like treating tunnel mode as a
degenerate case of transport mode, or why we should agree with Joe Touch and
treat IP like any other transport protocol!

Dan