Re: IPSec: AH/ESP combination problems

From: Tom Lendacky (
Date: Thu Feb 13 2003 - 16:28:22 EST

After some more reading of the RFC I realized that my logic is incorrect in
regards to what I called Problem #1 and #2 and that those are not problems.
I don't believe that it is valid to have a combination of [IP][AH][ESP][IP]
for tunnel mode and that the test I used to drive that needs to be changed.

   You can enforce the ordering exactly when the xfrm templates
   are built, this ensures that any fully resolved xfrm state
   created from them have the correct ordering as well.

As for the ordering of the modes (transport then tunnel) and the ordering
of the protocols within transport mode (IPCOMP then ESP then AH) I see
where that fix can be incorporated (in parse_ipsecrequests of af_key.c).
My question is should I do any ordering of the protocols within tunnel
mode. While the ordering within transport mode is specified in the RFCs
(2401 and 3173), tunnel mode has no such requirement that I can tell. Any
suggestions or should the order just be how the request is received by the
pfkey interface?

Also, the general direction I am looking at for the fix is to loop through
the requests multiple times processing IPCOMP transport first, then ESP
transport, then AH transport, and then the tunnel mode protocols.


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Sat Feb 15 2003 - 22:00:49 EST