[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH and mutable fields, how deep to look?

At 12:18 +0200 12/9/03, Markku Savela wrote:
[I tried to send a message about this last week, but it disappeared...]

With following

IP Ext.-Headers1 AH Ext.-Headers2 ...

TAHI test assumes that the "mutable field" processing is also done for
the Ext.Headers2. I always had the misconception(?), and my
implementation also has it, that the payload after AH is treated as
opaque bits, and immutable.

I find my interpretation, of course, saner (and simpler). However, AH
RFC seems to support TAHI's interpretation (at least the ASCII

If my interpretation is wrong, then the followup question is: how deep
you are supposed to scan? Say,

IP ext1 AH ext2 IP-tunnel ext3 ...etc..

Then, an unknown (to the SG) extension header inside ext3 would
totally unnecessarily break the IPSEC...

The intent was to treat everything after AH as opaque, in IPv6 as well as IPv4. What change to the graphics would help convey this better?