[114734] in North American Network Operators' Group
Re: AH or ESP
daemon@ATHENA.MIT.EDU (Jack Kohn)
Mon May 25 09:24:32 2009
Date: Mon, 25 May 2009 18:54:13 +0530
From: Jack Kohn <kohn.jack@gmail.com>
To: glen.kent@gmail.com, morrowc.lists@gmail.com, nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Glen,
IPSECME WG <http://www.ietf.org/html.charters/ipsecme-charter.html> at IETF
is actually working on the exact issue that you have described (unable to
deep inspect ESP-NULL packets).
You can look at
draft-ietf-ipsecme-traffic-visibility-02<http://tools.ietf.org/html/draft-ietf-ipsecme-traffic-visibility-02>for
more details.
Jack
On Sat, May 23, 2009 at 5:06 AM, Glen Kent <glen.kent@gmail.com> wrote:
> Yes, thats what i had meant !
>
> On Fri, May 22, 2009 at 10:46 PM, Christopher Morrow
> <morrowc.lists@gmail.com> wrote:
>>
>> On Fri, May 22, 2009 at 1:04 PM, Glen Kent <glen.kent@gmail.com> wrote:
>> > Hi,
>> >
>> > It is well known in the community that AH is NAT unfriendly while ESP
>> > cannot
>> > be filtered, and most firewalls would not let such packets pass. I am
>> > NOT
>>
>> 'the content of the esp packet can't be filtered in transit' I think
>> you mean... right?
>>
>> > interested in encrypting the data, but i do want origination
>> > authentication
>> > (Integrity Protection). Do folks in such cases use AH or ESP-NULL,
given
>> > that both have some issues?
>> >
>> > Thanks,
>> > Glen
>> >
>
>
