IETF Logo Mail Archive

Re: doi-07/interoperability questions

Robert Moskowitz <rgm-sec@htt-consult.com> Tue, 10 March 1998 19:31 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id OAA11800 for ipsec-outgoing; Tue, 10 Mar 1998 14:31:59 -0500 (EST)
Message-Id: <3.0.5.32.19980310143859.009e6660@homebase.htt-consult.com>
X-Sender: rgm-sec@homebase.htt-consult.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Tue, 10 Mar 1998 14:38:59 -0500
To: ben@Ascend.COM
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Subject: Re: doi-07/interoperability questions
Cc: ipsec@tis.com
In-Reply-To: <199803101920.OAA08417@carp.morningstar.com>
References: <3.0.5.32.19980310135454.00959830@homebase.htt-consult.com> <199803101550.KAA08137@carp.morningstar.com> <3.0.5.32.19980310135454.00959830@homebase.htt-consult.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

At 02:20 PM 3/10/98 -0500, Ben Rogers wrote:
>
>Yes.  In fact, I was thinking specifically about gateway to gateway
>configurations using both AH and ESP.

In that case...

>> >as to whether I should support mixed proposals.  My opinion is that it
>> >makes sense to support AH (transport) and ESP (tunnel) with the
>> >following encapsulation:
>> >
>> >[IP2][AH][ESP][IP1][upper]
>> >
>> >and to not support AH (tunnel) and ESP (transport).  Does anyone else

This feels right to me.  What you are saying is that the gateways are
maintaining a secure tunnel, which is separately authenticated. (I think
:).  So you want the tunneled IP datagram in one piece.  The AH (transport)
and ESP (tunnel) delivers this.  The AH (tunnel) and ESP (transport) breaks
the IP datagram.


Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com

v2.29.0 | Report a Bug | By Email | System Status