Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard

From: Steve Bellovin ([email protected])
Date: Wed Apr 08 1998 - 15:33:53 EDT

Next message: Phil Karn: "Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard"
Previous message: Aaron Falk: "TCP Spoofing I-D"
Next in thread: Phil Karn: "Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard"
Reply: Phil Karn: "Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>The modification of TCP header by BS is impossible in case of
>secure/encripted communication. In this case ICMP may help,

         In the usual ELN setup, the routers only set the congestion
         experienced bit in the IP header, which IPSEC does not encrypt. The
         receiving TCPs copy these bits into the reply TCP headers they
         generate before they are encrypted by IPSEC on the way out. Because
         the ELN bits in the TCP headers are set and read only by the
         endpoints, IPSEC is *not* an obstacle of any sort.

But if tunnel mode ipsec is used, the bits in the IP header are not
copied into the inner IP header at tunnel termination time.

Next message: Phil Karn: "Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard"
Previous message: Aaron Falk: "TCP Spoofing I-D"
Next in thread: Phil Karn: "Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard"
Reply: Phil Karn: "Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Feb 14 2000 - 16:14:42 EST