>>>>> "RJ" == RJ Atkinson <rja.li...@gmail.com> writes: >> Routers can't validate the integrity protection regardless of >> whether AH or ESP-NULL in tunnel mode is used,
RJ> Disagree. Intermediate authentication can be performed by RJ> routers/firewalls, at least when AH is used. The RJ> router/firewall could then act on the options in the packet RJ> having reasonable assurance that the option itself, and its RJ> contents, were valid for that packet. Just to add to this: this intermediate authentiation requires a different key distribution protocol than most VPN vendors are used to. In certain kinds of deployments, manually keyed AH and ESP is actually not that unusual (to many intermediate nodes too), and it makes sense for the small amount of traffic that is anticipated. Ran, as you've been rather inactive in IPsec, I suspect that some people might not know what pieces of code and specification you wrote, and who paid you to write those pieces of code. -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE> then sign the petition. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec