Re: AH (without ESP) on a secure gateway

Stephen Kent <kent@bbn.com> Tue, 03 December 1996 00:02 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id TAA22916 for ipsec-outgoing; Mon, 2 Dec 1996 19:02:21 -0500 (EST)
X-Sender: kent@po1.bbn.com
Message-Id: <v03007826aec91bcf76b6@[128.33.229.245]>
In-Reply-To: <199612021501.KAA18888@earth.hpc.org>
References: Yourmessage <199612021214.FAA13018@baskerville.CS.Arizona.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Mon, 02 Dec 1996 18:56:39 -0500
To: ho@earth.hpc.org
From: Stephen Kent <kent@bbn.com>
Subject: Re: AH (without ESP) on a secure gateway
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

Hilarie,

	I think the conflict for "transport" use of AH is fatal.  Consider
the following example:

	- firewalls A and B use AH for protection between them
	- all traffic from A is AH protected using a single SA
	- host A.1 (behind firewall A) establishes an SA to B.1 (behind
	firewall B) and this SA is also an AH SA
	- host B.1 chooses the same SPI for the traffic from A.1 to B.1 that
	firewall B chose for traffic from A to B

If A applies a second AH, it would look the same as the original AH used by
A.1 and thus there would be an ambiguity, right?  I think that trying to
fix this through the establishment of conventions for order of
interpretation is not a
good idea.  There may be other problems from trying to do nesting of
non-tunnel mode AH, that have not occurred to me yet.

Steve