nanog mailing list archives

Re: AH or ESP

From: Jack Kohn <kohn.jack () gmail com>
Date: Mon, 25 May 2009 18:54:13 +0530

Glen,

IPSECME WG <http://www.ietf.org/html.charters/ipsecme-charter.html> at IETF
is actually working on the exact issue that you have described (unable to
deep inspect ESP-NULL packets).

You can look at
draft-ietf-ipsecme-traffic-visibility-02<http://tools.ietf.org/html/draft-ietf-ipsecme-traffic-visibility-02>for
more details.

Jack

On Sat, May 23, 2009 at 5:06 AM, Glen Kent <glen.kent () gmail com> wrote:

Yes, thats what i had meant !

On Fri, May 22, 2009 at 10:46 PM, Christopher Morrow
<morrowc.lists () gmail com> wrote:


On Fri, May 22, 2009 at 1:04 PM, Glen Kent <glen.kent () gmail com> wrote:

Hi,

It is well known in the community that AH is NAT unfriendly while ESP
cannot
be filtered, and most firewalls would not let such packets pass. I am
NOT


'the content of the esp packet can't be filtered in transit' I think
you mean... right?

interested in encrypting the data, but i do want origination
authentication
(Integrity Protection). Do folks in such cases use AH or ESP-NULL,

given

that both have some issues?

Thanks,
Glen

Current thread:

AH or ESP Glen Kent (May 22)
- Re: AH or ESP Christopher Morrow (May 22)
  - Re: AH or ESP Glen Kent (May 22)
- <Possible follow-ups>
- Re: AH or ESP Jack Kohn (May 25)
  - Re: AH or ESP Merike Kaeo (May 25)
    - Re: AH or ESP Jack Kohn (May 25)
    - Re: AH or ESP Glen Kent (May 25)
    - Re: AH or ESP Merike Kaeo (May 25)
    - Re: AH or ESP Jack Kohn (May 25)
    - Re: AH or ESP Merike Kaeo (May 25)
    - Re: AH or ESP Randy Bush (May 26)
    - RE: AH or ESP Tony Hain (May 26)
    - Re: AH or ESP Roland Dobbins (May 26)
    - Re: AH or ESP Nathan Ward (May 26)

(Thread continues...)