Re: [Ipsec] Number of SPD Policies

To: "Subha" <subhaav at intoto.com>
Subject: Re: [Ipsec] Number of SPD Policies
From: Tero Kivinen <kivinen at iki.fi>
Date: Thu, 7 Apr 2005 13:53:03 +0300
Cc: ipsec at ietf.org, Stephen Kent <kent at bbn.com>
In-reply-to: <011501c53afa$b91fc830$4205010a@subha>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <00e801c536f8$531e4850$4205010a@subha> <p0621020cbe73752e25ae@[128.89.89.106]> <015701c5371b$f3885510$4205010a@subha> <16977.11042.656521.73950@fireball.kivinen.iki.fi> <003701c53952$0aabf430$4205010a@subha> <16978.22280.545861.239449@fireball.kivinen.iki.fi> <011501c53afa$b91fc830$4205010a@subha>
Sender: ipsec-bounces at ietf.org

Subha writes:
> If AH+ESP between the same two gateway devices is not 
> actually providing any extra crypographic protection,
> why have it at all. 

True.

> 2401bis could have simply removed that combination. 

2401bis did remove it as a single concept.

The reason there is still the forwarding step is when you have
following case:

Host A <-------> SGW <-----> Host B

and where Host A needs to authenticate all his packets with tunnel
mode AH to the SGW before it can get through it (i.e. the Host A might
be somewhere inside the internet, and the SGW is the corporate
firewall, requiring authentication before letting any traffic in, but
as all traffic is also protected by ESP end to end, AH is enough for
the SGW). In addition to that Host A needs to create transport mode
ESP to connect to the Host B (lets say financial server or something).

Now the Host A do need to have both AH and ESP applied to the packet,
and his policy would be:

Host A, Host B, ESP or IKE use tunnel mode AH to SGW
Host A, Host B, any traffic use transport mode ESP, reforward to IPsec

> Also, my understanding is that having AH over ESP provides
> additional protection on the tunnel header, which is otherwise
> not handled by ESP with Auth.

If the ESP is in tunnel mode the external header is thrown away, so
the protection AH offers to it is not useful. 
-- 
kivinen at safenet-inc.com

_______________________________________________
Ipsec mailing list
Ipsec at ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- [Ipsec] Number of SPD Policies
  - From: Subha
- Re: [Ipsec] Number of SPD Policies
  - From: Stephen Kent
- Re: [Ipsec] Number of SPD Policies
  - From: Subha
- Re: [Ipsec] Number of SPD Policies
  - From: Tero Kivinen
- Re: [Ipsec] Number of SPD Policies
  - From: Subha
- Re: [Ipsec] Number of SPD Policies
  - From: Tero Kivinen
- Re: [Ipsec] Number of SPD Policies
  - From: Subha

Prev by Date: [Ipsec] Re: Results of straw poll regarding: IKEv2 interoperability issue
Next by Date: [Ipsec] Comments of draft-eronen-ipsec-ikev2-clarifications-02.txt
Previous by thread: Re: [Ipsec] Number of SPD Policies
Next by thread: Re: [Ipsec] Number of SPD Policies
Index(es):
- Date
- Thread

Re: [Ipsec] Number of SPD Policies

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.