Re: Re[2]: AH (without ESP) on a secure gateway
Bill Sommerfeld <sommerfeld@apollo.hp.com> Mon, 02 December 1996 21:21 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA22706 for ipsec-outgoing; Mon, 2 Dec 1996 16:21:41 -0500 (EST)
Message-Id: <199612022123.QAA00683@thunk.orchard.medford.ma.us>
X-Authentication-Warning: thunk.orchard.medford.ma.us: sommerfeld owned process doing -bs
To: "Whelan, Bill" <bwhelan@nei.com>
Cc: kent@bbn.com, ho@earth.hpc.org, ipsec@tis.com
Subject: Re: Re[2]: AH (without ESP) on a secure gateway
In-Reply-To: bwhelan's message of Mon, 02 Dec 1996 12:43:17 -0500. <9611028495.AA849563882@netx.nei.com>
Date: Mon, 02 Dec 1996 16:23:37 -0500
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
> >But this potential conflict is not necessarily fatal, is it? Assuming > >cooperating firewalls, the conflict can exist and be irrelevant. The > >firewalls unwrap outer headers according to their notions of the SA > >mappings, and the end hosts unwrap inner headers according to their > >notions. Conflicts are invisible as long as the firewalls are in > >place. > > Outer headers and inner headers? Per RFC1826, the Authentication Header > sits between the IP header and the upper layer protocol. It appears the > same whether it's inserted by the host system or the gateway. Hmm. Which "protocol tower" are we talking about, anyhow? IP[H1->H2],AH[R1->R2],... or IP[R1->R2],AH[R1->R2],IP[H1->H2],... (R1,R2 are routers, H1,H2 are hosts; the problem is only interesting if we assume H2 != R2). The latter case has "outer headers" and "inner headers". I can see ways of making the former case "work" when H2 doesn't do AH, but if H2 does, you have to worry about SPI collisions between the ones assigned by H2 and the ones assigned by R2.. - Bill
- AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway pau
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re[2]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway William Allen Simpson
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway David P. Kemp
- Re: Re[2]: AH (without ESP) on a secure gateway Ran Atkinson
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway Daniel Harkins
- Re: AH (without ESP) on a secure gateway Hilarie Orman
- Re[2]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: Re[2]: AH (without ESP) on a secure gateway Bill Sommerfeld
- Re[4]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: Re[4]: AH (without ESP) on a secure gateway Bill Sommerfeld
- Re[4]: AH (without ESP) on a secure gateway Karl Fox
- Re[5]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re[2]: AH (without ESP) on a secure gateway Stephen Kent
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re[5]: AH (without ESP) on a secure gateway Stephen Kent
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: Re[5]: AH (without ESP) on a secure gateway Bob Monsour
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re: Re[5]: AH (without ESP) on a secure gateway Stephen Kent
- Re: AH (without ESP) on a secure gateway Steven Bellovin
- Re[2]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway Brian McKenney
- Re: AH (without ESP) on a secure gateway Perry E. Metzger
- Re[2]: AH (without ESP) on a secure gateway Stephen Kent
- Re[2]: AH (without ESP) on a secure gateway Brian McKenney
- Re: AH (without ESP) on a secure gateway Ran Atkinson
- Re: Re[5]: AH (without ESP) on a secure gateway Ran Atkinson
- Re: AH (without ESP) on a secure gateway Bill Sommerfeld
- Re: Re[2]: AH (without ESP) on a secure gateway Uri Blumenthal
- Re: AH (without ESP) on a secure gateway Daniel Harkins
- Re: Re[2]: AH (without ESP) on a secure gateway Naganand Doraswamy
- Re: AH (without ESP) on a secure gateway Steven Bellovin
- Re: AH (without ESP) on a secure gateway Steven Bellovin
- Re: Re[2]: AH (without ESP) on a secure gateway Stephen Kent
- Re: Re[2]: AH (without ESP) on a secure gateway Dan Frommer