On Wed, Jul 14, 2004 at 01:42:34PM +0900, Kazunori Miyazawa wrote:
>
> > In fact if ESP were present then it guarantees the second dest
> > header to be immutable. So perhaps we should simply disallow
> > users from putting mutable options in the second destination
> > header. Or we can document it as undefined and let the user
> > handle the consequences (cf HDRINCL with raw sockets + IPsec).
>
> Well, we should disallow the operation.
Great. That should simply things in AH.
> Yes, but I guess most implementation and administrator do not set
> double or more AH header in a packet.This restriction doesn't
> effect interoperability except for KAME with special configuration.
> Honestly speaking, it is enough the IPsec stack processes just
> one AH, ESP and IPcomp header each. Of course the stack should process
> some set of those a header and payloads in tunnel mode.
Well if we disallow mutable options in the second destination header,
then this becomes a non-issue.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
|