[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A question on IPsec AH in IPv6

To: Bob Doud <bdoud@ire-ma.com>
Subject: Re: A question on IPsec AH in IPv6
From: Dan McDonald <danmcd@Eng.Sun.COM>
Date: Fri, 7 Jan 2000 15:43:23 -0800 (PST)
CC: ipsec@lists.tislabs.com
In-Reply-To: <LOBBJNKBDKOHFMLDLIAGGEOJCHAA.bdoud@ire-ma.com> from Bob Doud at"Jan 7, 2000 04:48:46 pm"
Sender: owner-ipsec@lists.tislabs.com

<SNIP!>
> I was trying to figure out what the ramifications are 
> with the destination options headers being before or after 
> the AH header.  Is anyone aware of any specific requirement
> for the destination options to be AFTER the AH header?

Typically you want the destination options to be after the AH header if only
the final endpoint of a datagram needs to see the options.

Destination options that fall before AH are intended (I believe) to also fall
before the routing header, such that explicitly named nodes in the routing
header also process the destination options.

This also means that the intermediate routing-header-specified nodes process
unauthenticated options, as routers process unauthenticated hop-by-hop
options.  Only the ultimate destination can process authenticatable options
after AH computation.

Dan

Follow-Ups:

RE: A question on IPsec AH in IPv6

From: "Bob Doud" <bdoud@ire-ma.com>

References:

A question on IPsec AH in IPv6

From: "Bob Doud" <bdoud@ire-ma.com>

Prev by Date: A question on IPsec AH in IPv6
Next by Date: RE: A question on IPsec AH in IPv6
Prev by thread: A question on IPsec AH in IPv6
Next by thread: RE: A question on IPsec AH in IPv6
Index(es):
- Main
- Thread