[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AH and mutable fields, how deep to look?

To: ipsec@lists.tislabs.com
Subject: AH and mutable fields, how deep to look?
From: Markku Savela <msa@burp.tkv.asdf.org>
Date: Tue, 9 Dec 2003 12:18:47 +0200
Sender: owner-ipsec@lists.tislabs.com

[I tried to send a message about this last week, but it disappeared...]

With following

   IP Ext.-Headers1 AH Ext.-Headers2 ...

TAHI test assumes that the "mutable field" processing is also done for
the Ext.Headers2. I always had the misconception(?), and my
implementation also has it, that the payload after AH is treated as
opaque bits, and immutable.

I find my interpretation, of course, saner (and simpler). However, AH
RFC seems to support TAHI's interpretation (at least the ASCII
graphics).

If my interpretation is wrong, then the followup question is: how deep
you are supposed to scan? Say,

   IP ext1 AH ext2 IP-tunnel ext3 ...etc..

Then, an unknown (to the SG) extension header inside ext3 would
totally unnecessarily break the IPSEC...

Follow-Ups:
- Re: AH and mutable fields, how deep to look?
  - From: Dan McDonald <danmcd@east.sun.com>
- Re: AH and mutable fields, how deep to look?
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: AH and mutable fields, how deep to look?
Next by Date: rfc2401bis issue #79: Handling ICMP error messages
Previous by thread: comments on draft-ietf-ipsec-nat-t-ike-07
Next by thread: Re: AH and mutable fields, how deep to look?
Index(es):
- Date
- Thread