Re: Outbound SA Bundle processing

[Stephen Kent <kent@bbn.com>]

At 2:11 PM -0700 4/5/04, suren wrote:
>Hi,
>
>I have two queries regarding SA Bundle processing.
>
>1) If we have two SAs in an outbound SA Bundle as below,
>
>      1st SA :  ESP in tunnel mode.
>      2nd SA :  AH in tunnel mode.
>
>    What should be the correct format of the packet that is
>    produced after applying these two SAs?
>
>    i)   [IP1][AH][ESP][Original_IP] 
>
>    Or  
>
>    ii)  [IP2][AH][IP1][ESP][Original_IP]

since both are described as tunnel mode, the second format is correct.

>
>2) If we have more than two SAs in an outbound SA Bundle as below,
>
>      1st SA :  ESP in tunnel mode, with DES
>      2nd SA :  ESP in tunnel mode, with 3DES
>      3rd SA :  ESP in tunnel mode, with AES
>      4th SA :  AH in tunnel mode.
>
>    What should be the correct format of the packet that is
>    produced after applying these two SAs?

note that support for bundles, other than the trivial ones mandated 
by 2401 use cases, has been problematic and so 2401bis drops the 
requirement for such support. your example above is easily rendered 
into an appropriate format, but it seems pretty unrealistic. also, 
you list 4 SAs in the second example, but then refer to "applying 
these two SAs?" which suggests an arithmetic mismatch.

Steve