[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipng
Subject:    (IPng 7234) Re: Last Call: Mobility Support in IPv6 to Propos
From:       Stephen Kent <kent () bbn ! com>
Date:       1999-02-23 17:48:35
[Download RAW message or body]

Richard,

	<snip>
>
>I don't understand how it can be legitimate for an IPsec-enabled node that
>is receiving a packet with a routing header to bypass inbound IPsec
>processing.

There is no contradiction here if the node is not a party to an SA
associated with the IPsec headers in the packet in question.  A security
policy at an intermediate node could allow traffic to transit without Ipsec
processing, if it "appeared" that such processing had been applied already.
I'm not suggesting that this is good or bad, just making an observation
about what it means to implement IPsec at an SG vs. what it implies for
processing of transit traffic.  I don'ty necessarily think we're in
disagreement here, but I didn't agree with your characterization of the
situation, in the cited paragraph.

Steve
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to majordomo@sunroof.eng.sun.com
--------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]