[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Ipsec] Layer 2 processing inside IPsec

To: "Paul Lambert" <PaulLambert@AirgoNetworks.Com>
Subject: RE: [Ipsec] Layer 2 processing inside IPsec
From: Stephen Kent <kent@bbn.com>
Date: Fri, 2 Jul 2004 13:52:03 -0400
Cc: ipsec@ietf.org, sommerfeld@east.sun.com, Francis.Dupont@enst-bretagne.fr
In-reply-to: <3FFBC907DD03A34CA4410C5C745DEB1201B731B0@wnimail.WoodsideNet.Com>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <3FFBC907DD03A34CA4410C5C745DEB1201B731B0@wnimail.WoodsideNet.Com>
Sender: ipsec-bounces@ietf.org

At 10:33 AM -0700 7/2/04, Paul Lambert wrote:
>  >tunnel mode requires that the next header be IP (v4 or v6)
>
>Requireing the next header to be IP is just one type of access 
>policy.  There is no reason that an access policy could not allow 
>other protocols and process/filter them accordingly.
>
>Paul
>
>-

There is a requirement for an IPsec TUNNEL to have an inner IP 
header, because of the need to forward the inner packet based on that 
header, and because our access control checks are defined relative to 
IP and next layer headers. if there is no need to forward the packet 
based on an inner IP header, then transport mode is used, and the 
access controls are applied to the outer header.

Steeve

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Prev by Date: RE: [Ipsec] Layer 2 processing inside IPsec
Next by Date: [Ipsec] RFC 3715 / IPsec NAT Compatibility
Previous by thread: RE: [Ipsec] Layer 2 processing inside IPsec
Next by thread: RE: [Ipsec] Layer 2 processing inside IPsec
Index(es):
- Date
- Thread