RE: SA bundle negotiation

Sankar Ramamoorthi <Sankar@vpnet.com> Fri, 15 October 1999 20:03 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id NAA04432; Fri, 15 Oct 1999 13:03:31 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA05541 Fri, 15 Oct 1999 14:11:56 -0400 (EDT)
Message-ID: <D899E9E27BE9D211842200805FA67B431B957A@vpnet.com>
From: Sankar Ramamoorthi <Sankar@vpnet.com>
To: 'David Tannheimer' <dtannhei@nortelnetworks.com>, ipsec@lists.tislabs.com
Subject: RE: SA bundle negotiation
Date: Fri, 15 Oct 1999 11:13:44 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1461.28)
Content-Type: text/plain; charset="windows-1252"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

It is my understanding that all should be negotiated in tunnel mode.

-- sankar --


-----Original Message-----
From: David Tannheimer [mailto:dtannhei@nortelnetworks.com]
Sent: Friday, October 15, 1999 7:17 AM
To: ipsec@lists.tislabs.com
Subject: SA bundle negotiation


I apologize in advance if this has already been beaten to death on the
list.  I have a question as to the right way to negotiate encapsulation
mode for certain ipsec SA bundles, to ensure interoperability.
I've heard various arguments, but I need a larger feedback sampling.

To achieve the following encapsulation format, should both the ESP
transform payload and the AH transform payload (in the quick mode
exchange) specify Tunnel mode, or is ESP in Tunnel mode and AH in
Transport mode?

        -----------------------------------------
        | Outer  | AH  | ESP | Orig   | Payload |
        | IP Hdr | Hdr | Hdr | IP Hdr |         |
        -----------------------------------------
 

Same idea here.  Should IPComp be negotiated as Tunnel mode, with both
ESP and AH in Transport mode, or are they all negotiated as Tunnel mode?

        --------------------------------------------------
        | Outer  | AH  | ESP | IPComp | Orig   | Payload |
        | IP Hdr | Hdr | Hdr | Hdr    | IP Hdr |         |
        --------------------------------------------------

Thanks,
Dave