Re: Thomas Narten's DISCUSS vote

Gabriel.Montenegro@Eng.Sun.Com Sun, 24 May 1998 10:12 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id GAA06551 for ipsec-outgoing; Sun, 24 May 1998 06:12:25 -0400 (EDT)
From: Gabriel.Montenegro@Eng.Sun.Com
Date: Sun, 24 May 1998 03:26:50 -0700
Message-Id: <199805241026.DAA22149@hsmpka.eng.sun.com>
To: ipsec@tis.com
Reply-To: gab@Eng.Sun.Com
X-Mailer: Sun NetMail 2.1.4
Subject: Re: Thomas Narten's DISCUSS vote
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

"Vipul Gupta" <vgupta@nobel.eng.sun.com> wrote:

>Date: Fri, 22 May 1998 14:42:38 -0700 (PDT)
>
>  I think Tom's comment is valid. Even when used with NULL encryption, 
>  ESP's integrity check will include the TCP/UDP header and,

Only assuming transport mode ESP. Tunnel mode ESP should work
fine.
 
Perhaps this should be mentioned explicitly in the ESP_NULL draft:


>> >>    The IPsec Authentication Header [AH] specification provides a similar
>> >>    service, by computing authentication data which covers the data
>> >>    portion of a packet as well as the immutable in transit portions of
>> >>    the IP header.  ESP_NULL does not include the IP header in
>> >>    calculating the authentication data.  This can be useful in providing
>> >>    IPsec services through Network Address Translation (NAT) devices and
>> >>    non-IP network devices.  
         ^^^^^^^^^^^^^^^^^^^^^^^, particularly if using tunnel mode.

>> >>   The discussion on how ESP_NULL might be
>> >>    used with NAT and non-IP network devices is outside the scope of this
>> >>    document.
>> >


-gabriel