IETF Logo Mail Archive

RE: doi-07/interoperability questions

CJ Gibson <cjgibson@semaphorecom.com> Wed, 11 March 1998 16:20 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id LAA20195 for ipsec-outgoing; Wed, 11 Mar 1998 11:20:02 -0500 (EST)
Message-ID: <0171F2F8F9E5D011A4D10060B03CFB44097E85@scc-server3.semaphorecom.com>
From: CJ Gibson <cjgibson@semaphorecom.com>
To: "'Eric L. Wong'" <ewong@zk3.dec.com>, Ben Rogers <ben@Ascend.COM>
Cc: Robert Moskowitz <rgm-sec@htt-consult.com>, ipsec@tis.com
Subject: RE: doi-07/interoperability questions
Date: Wed, 11 Mar 1998 08:47:13 -0800
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

I don't believe we should delete either 2 or 4 but I didn't think that's
what Ben meant by "not support AH (tunnel) and ESP (transport)". I
assumed this meant "not support [these] together  on the same packet.
You aren't seriously advocating the removal of AH-tunnel mode, are you?
I also don't see the use of adding 6.

--CJ


	-----Original Message-----
	From:	Eric L. Wong [SMTP:ewong@zk3.dec.com]
	Sent:	Tuesday, March 10, 1998 2:07 PM
	To:	Ben Rogers
	Cc:	Robert Moskowitz; ipsec@tis.com
	Subject:	Re: doi-07/interoperability questions

	Sounds to me you are suggesting the following changes to the
arch spec
	in section 4.5 Case 1. 
	] 
	]                   Transport                  Tunnel
	]              -----------------          ---------------------
	]              1. [IP1][AH][upper]        4.
[IP2][AH][IP1][upper]
	]              2. [IP1][ESP][upper]       5.
[IP2][ESP][IP1][upper]
	]              3. [IP1][AH][ESP][upper]
	] 

	                  Transport                     Tunnel
	             -----------------             ---------------------
	             1. [IP1][AH][upper]   (remove)4.
[IP2][AH][IP1][upper]
	     (remove)2. [IP1][ESP][upper]          5.
[IP2][ESP][IP1][upper]
	             3. [IP1][AH][ESP][upper] (add)6.
[IP2][AH][ESP][IP1][upper]

	Is this correct?

	I think it is ok to remove 4, it really doesn't buy you much.  
	I think we should keep 2.  This new one for tunnel mode seem 
	to make sense.  Now, should we restrict 6 to just gateway-to-
	gateway?

	/eric

	Ben Rogers wrote:
	> 
	> Yes.  In fact, I was thinking specifically about gateway to
gateway
	> configurations using both AH and ESP.
	> 
	> Robert Moskowitz writes:
	> > At 10:50 AM 3/10/98 -0500, Ben Rogers wrote:
	> >
	> > I believe you are talking about where the transforms all end
at the same
	> > system not the case where the transport is end to end and
the tunnel is
	> > gateway to gateway.
	> >
	> > >My other question centers on the use of Encapsulation Mode
attributes in
	> > >combined (AND) proposal transforms.  Namely, it seems
obvious that we
	> > >should support the case where both are transport mode (Case
1.3 in
	> > >section 4.5 of arch-sec), and not support the case where
both are tunnel
	> > >(probably returning a BAD-PROPSAL-SYNTAX).  However, I'm
not too clear
	> > >as to whether I should support mixed proposals.  My opinion
is that it
	> > >makes sense to support AH (transport) and ESP (tunnel) with
the
	> > >following encapsulation:
	> > >
	> > >[IP2][AH][ESP][IP1][upper]
	> > >
	> > >and to not support AH (tunnel) and ESP (transport).  Does
anyone else
	> > >have any feelings on this matter?  Whatever we choose
probably ought to
	> > >be added as clarifying text to [IPDOI].
	> > >
	> > >
	> > >ben
	> > >
	> > >
	> > Robert Moskowitz
	> > ICSA
	> > Security Interest EMail: rgm-sec@htt-consult.com

v2.29.0 | Report a Bug | By Email | System Status