Re: AH (without ESP) on a secure gateway

pau@watson.ibm.com Wed, 27 November 1996 21:59 UTC

Received: from cnri by ietf.org id ad29226; 27 Nov 96 16:59 EST
Received: from portal.ex.tis.com by CNRI.Reston.VA.US id aa21881; 27 Nov 96 15:55 EST
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id PAA17619 for ipsec-outgoing; Wed, 27 Nov 1996 15:48:21 -0500 (EST)
From: pau@watson.ibm.com
Date: Wed, 27 Nov 1996 15:53:29 -0500
Message-Id: <9611272053.AA22380@secpwr.watson.ibm.com>
To: ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
Cc: isakmp-oakley@cisco.com
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Md5: b4Ny6eHOqoEJQTvjvj0zEA==
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by portal.ex.tis.com id PAA17616
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

I have a question triggered by the discussion :

  If two firewalls (gateways), IDii and IDir, did a successful ISAKMP
  phase-II proxy negotiation for IDui and IDur. Then, which one is the
  right usage of the SA resulting from the negotiation :
  
  
  1. The SA is shared between IDii and IDir (the gateways), and IDii
     IDir are performing IPSEC protection on traffic between IDui and
     IDur. In this case, IDui and IDur are unware of the IPSEC protection.
     
     
  2. The SA is shared between IDui and IDur and IDui and IDur perform IPSEC
     by themselves. IDii and IDir (the gateways) become more or less (IPSEC)
     transparent.
     
     
     



Pau-Chen