[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ipsec] Re: Outbound SA Bundle processing
Hi,
Same issue was raised in one of the bakeoff (MAY 1999).
Some vendors supported format 2 and some format 1.
But most of the vendors supported one TUNNEL IP header for both AH and ESP
together.
In my view security over head can be reduced in format 1
by avoiding the additional TUNNEL IP header construction in the format 2.
-raghava
At 11:51 AM 4/6/2004 -0400, Stephen Kent wrote:
>At 2:11 PM -0700 4/5/04, suren wrote:
>>Hi,
>>
>>I have two queries regarding SA Bundle processing.
>>
>>1) If we have two SAs in an outbound SA Bundle as below,
>>
>> 1st SA : ESP in tunnel mode.
>> 2nd SA : AH in tunnel mode.
>>
>> What should be the correct format of the packet that is
>> produced after applying these two SAs?
>>
>> i) [IP1][AH][ESP][Original_IP]
>> Or
>>
>> ii) [IP2][AH][IP1][ESP][Original_IP]
>
>since both are described as tunnel mode, the second format is correct.
>
>>
>>2) If we have more than two SAs in an outbound SA Bundle as below,
>>
>> 1st SA : ESP in tunnel mode, with DES
>> 2nd SA : ESP in tunnel mode, with 3DES
>> 3rd SA : ESP in tunnel mode, with AES
>> 4th SA : AH in tunnel mode.
>>
>> What should be the correct format of the packet that is
>> produced after applying these two SAs?
>
>note that support for bundles, other than the trivial ones mandated by
>2401 use cases, has been problematic and so 2401bis drops the requirement
>for such support. your example above is easily rendered into an
>appropriate format, but it seems pretty unrealistic. also, you list 4 SAs
>in the second example, but then refer to "applying these two SAs?" which
>suggests an arithmetic mismatch.
>
>Steve
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec