[e2e] where to put endpoint authentication?

RJ Atkinson rja at extremenetworks.com
Mon May 10 13:25:15 PDT 2004

On May 10, 2004, at 13:21, Joe Touch wrote:
> W.r.t. IPsec, both AH and ESP are network-layer by criteria (1).

Not really.  AH and ESP actually live *between* IP and the 
So it is equally technically solid to say they are network-layer
or transport-layer by your criteria (1).  The various "layer wars 
(e.g. from past Natl Comp Sec Conf (NCSC) proceedings) discuss this
in rather more detail, should anyone on the list want to learn more.

> Transport-mode AH is network-layer by criteria (2). The transport
> payload is also protected. The transport protocol and port may be
> constrained, but that is not required.
> Transport-mode ESP is transport layer by criteria (2).

I disagree with your analysis, even assuming your criteria for
the moment.

> ----
> Tunnel mode is an odd case (in many ways ;-), since it combines
> network-layer tunneling with network-layer (criteria 1) security. The
> primary difference with transport mode is that tunnel mode checks the
> inner IP addresses at the receiver and not any transport protocol or
> port information. However, that's equivalent to checking 'transport'
> (w.r.t. the outer packet header) criteria. At that point, whether 
> tunnel
> mode protects network or 'transport' depends on whether ESP or AH are
> used.

That certainly would not be how I'd describe things,
but clearly your mileage is varying from mine.


rja at extremenetworks.com

More information about the end2end-interest mailing list