SA bundle negotiation

David Tannheimer <dtannhei@nortelnetworks.com> Fri, 15 October 1999 16:00 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id JAA29888; Fri, 15 Oct 1999 09:00:59 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id KAA04426 Fri, 15 Oct 1999 10:19:20 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <14343.14150.578359.846546@gargle.gargle.HOWL>
Date: Fri, 15 Oct 1999 10:16:38 -0400
From: David Tannheimer <dtannhei@nortelnetworks.com>
To: ipsec@lists.tislabs.com
Subject: SA bundle negotiation
X-Mailer: VM 6.71 under Emacs 19.34.1
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

I apologize in advance if this has already been beaten to death on the
list.  I have a question as to the right way to negotiate encapsulation
mode for certain ipsec SA bundles, to ensure interoperability.
I've heard various arguments, but I need a larger feedback sampling.

To achieve the following encapsulation format, should both the ESP
transform payload and the AH transform payload (in the quick mode
exchange) specify Tunnel mode, or is ESP in Tunnel mode and AH in
Transport mode?

        -----------------------------------------
        | Outer  | AH  | ESP | Orig   | Payload |
        | IP Hdr | Hdr | Hdr | IP Hdr |         |
        -----------------------------------------
 

Same idea here.  Should IPComp be negotiated as Tunnel mode, with both
ESP and AH in Transport mode, or are they all negotiated as Tunnel mode?

        --------------------------------------------------
        | Outer  | AH  | ESP | IPComp | Orig   | Payload |
        | IP Hdr | Hdr | Hdr | Hdr    | IP Hdr |         |
        --------------------------------------------------

Thanks,
Dave