Re[2]: AH (without ESP) on a secure gateway

"Whelan, Bill" <bwhelan@nei.com> Mon, 02 December 1996 18:59 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id NAA22520 for ipsec-outgoing; Mon, 2 Dec 1996 13:59:32 -0500 (EST)
Date: Mon, 02 Dec 1996 12:43:17 -0500
From: "Whelan, Bill" <bwhelan@nei.com>
Message-Id: <9611028495.AA849563882@netx.nei.com>
To: kent@bbn.com, ho@earth.hpc.org
Cc: ipsec@tis.com
Subject: Re[2]: AH (without ESP) on a secure gateway
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

     .
     .
     .
     
>But this potential conflict is not necessarily fatal, is it?  Assuming 
>cooperating firewalls, the conflict can exist and be irrelevant.  The 
>firewalls unwrap outer headers according to their notions of the SA 
>mappings, and the end hosts unwrap inner headers according to their 
>notions.  Conflicts are invisible as long as the firewalls are in 
>place.

Outer headers and inner headers?  Per RFC1826, the Authentication Header 
sits between the IP header and the upper layer protocol.  It appears the 
same whether it's inserted by the host system or the gateway.
     
     
>Hilarie

Bill