[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AH and mutable fields, how deep to look?
> With following
>
> IP Ext.-Headers1 AH Ext.-Headers2 ...
>
> TAHI test assumes that the "mutable field" processing is also done for the
> Ext.Headers2. I always had the misconception(?), and my implementation
> also has it, that the payload after AH is treated as opaque bits, and
> immutable.
>
> I find my interpretation, of course, saner (and simpler). However, AH
> RFC seems to support TAHI's interpretation (at least the ASCII
> graphics).
We do the same in Solaris in that we treat a post-AH header as opaque. It
makes sense from a parsing point of view and it gives the forwarding path
a clear stopping point (i.e. stop at AH as you would TCP, UDP, or ESP).
> If my interpretation is wrong, then the followup question is: how deep
> you are supposed to scan? Say,
>
> IP ext1 AH ext2 IP-tunnel ext3 ...etc..
>
> Then, an unknown (to the SG) extension header inside ext3 would
> totally unnecessarily break the IPSEC...
If we're supposed to behave like TAHI, then the first inner-IP you hit in
this case is where you stop.
Ambiguous situations like this, BTW, are why I like treating tunnel mode as a
degenerate case of transport mode, or why we should agree with Joe Touch and
treat IP like any other transport protocol!
Dan