In tunnel mode why options are not copied to outer IP header

[Padma Goli <padma@trinc.com>]

Hi Karen, 


 I have a pending ( I wanted to ask this question long before) question (
rather a clarification )  in draft-ietf-ipsec-arch-sec-04.txt :


 In section 5.1.2 Header Construction for Tunnel Mode:


1) It is said that options are never copied to outer IP header from the
inner IP header. Why is it so ?


2) According to that  a user cannot have  tunnel mode security between two
endpoints along with strict routing( or any options ). Is it so.

But having Strict routing along with security ( I am speaking in the
context of tunnel mode ) provided, makes a lot of sense because we can
avoid the datagram traversal along a previously known  insecured route  or
a rival's router. 

3) We are doing options processing after IpsecOutbound processing. In case
of tunnel mode even though the hidden inner IP header had Options set as
they are not visible from outer IP header, we are just processing as if no
options was present in the inner IP header. 
Is this way correct. 

Even if option processing is done before Ipsecoutbound processing, options
of the inner IP header will be processed before encapsulation by the IPSEC
only at the sender,  but the intermediate security gateways acting as just
routers will not be doing any options processing at all. If this what is
thought of? 

Hoping an immediate reply.



Thanks,
Padma Goli.

*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
*Padma Goli                        |
*Rendzevous Onchip Pvt Ltd.        |
*Secunderbad                       |
*Phone No : (040)7742606           |
            (040)7740406           |
*email address : padma@trinc.com   |
*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|