At 13:52 07.10.2000, [EMAIL PROTECTED] wrote:
> >> >...would they want to block any authenticated IPv6 packet at the
> firewall?
> >> >...and what's about ESP? Also blocking?
> >> just curious/need clarification,
> >> what is your "authenticated" here? end-to-end transport mode AH
> >> (a guy outside of company and a guy inside company),
> >I meant that (IPv6 in native productive usage...)
>
> in that case, i'm not sure what you meant...
> gateway cannot guess if the packet is really authenticated or not
> (only the end system - a guy inside company - can).
> for example, if i attach a bogus authentication header, do you let
> the packet go through? i would be able to chew bandwidth.
If an endsystem-to-endsystem connection is authenticated (which means that
an AH is added, which includes authentication of IPv6 source and
destination address) each gateway, which modifies something in the packet
(ok, there are view bits which are allowed, but *not the addresses*) breaks
the AH information.
-> IPv6-NAT is not usable if using AH (end-to-end).
Peter
---------------------------------------------------------------------
The IPv6 Users Mailing List
Unsubscribe by sending "unsubscribe users" to [EMAIL PROTECTED]
