Re: AH (without ESP) on a secure gateway

Stephen Kent <kent@bbn.com> Wed, 04 December 1996 03:39 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id WAA25412 for ipsec-outgoing; Tue, 3 Dec 1996 22:39:36 -0500 (EST)
X-Sender: kent@po1.bbn.com (Unverified)
Message-Id: <v0300780caeca64224f60@[128.33.229.242]>
In-Reply-To: <199612030431.XAA25585@amaterasu.sandelman.ottawa.on.ca>
References: Your message of "Mon, 02 Dec 1996 18:56:39 EST." <v03007826aec91bcf76b6@[128.33.229.245]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 03 Dec 1996 18:17:41 -0500
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
From: Stephen Kent <kent@bbn.com>
Subject: Re: AH (without ESP) on a secure gateway
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

Mike,

	You mention early in your message the key issue, which is the focus
of this debate.  I maintained that it makes sense to use AH between a pair
of firewalls ONLY if the header is applied to a tunneled SA.  Once we agree
on that, the rest ought to be easy.  The disagreement has been on whether
it is appropriate to have two (or more) instances of AH without an
intervening IP header.  We have seen several messages now arguing why this
is not an appropriate header sequence, including your message to which I am
responding.  So, I don't disagree with the examples you cited.

Steve