IETF Logo Mail Archive

Re: proposed IPSEC changes/extensions

David Wagner <daw@cs.berkeley.edu> Tue, 29 October 1996 15:12 UTC

Received: from cnri by ietf.org id aa14224; 29 Oct 96 10:12 EST
Received: from neptune.hq.tis.com by CNRI.Reston.VA.US id aa10650; 29 Oct 96 10:12 EST
Received: from neptune.tis.com by neptune.TIS.COM id aa24801; 29 Oct 96 9:43 EST
To: ipsec@tis.com
Path: not-for-mail
From: David Wagner <daw@cs.berkeley.edu>
Newsgroups: isaac.lists.ipsec
Subject: Re: proposed IPSEC changes/extensions
Date: Mon, 28 Oct 1996 18:47:04 -0800
Organization: ISAAC Group, UC Berkeley
Lines: 20
Message-ID: <553r78$2vp@joseph.cs.berkeley.edu>
References: <v02130505ae9a8af26d4c@[128.89.30.6]>
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk

In article <v02130505ae9a8af26d4c@[128.89.30.6]>,
Stephen Kent  <kent@bbn.com> wrote:
>        The document explains the need to support AH and both transport and
> tunnel modes of ESP, based on the context (host vs. security gateway).
> However, what about nested combinations of these protocols?  It probably is
> not reasonable to require an implementation to support all possible
> combinations of these headers, nested to any depth.

While I don't know what the requirements ought to be, I thought I'd throw
in a brief word of implementation experience.

When I was implementing ipsec, I found that handling arbitrarily-nested
combinations was easy.  On inbound processing, just strip off an ipsec
header, and recurse: throw the packet back in the inbound queue.  (You
only have to maintain a bit of state for authentication.)

Certainly support for *sending* packets with arbitrarily-nested headers
is harder to implement.  But that's fine; either way, we ought to

    Be conservative in what you send and liberal in what you'll accept.

v2.29.0 | Report a Bug | By Email | System Status