Hi Matt,
I've read 2401 (IPsec), 2402 (AH), and 2406 (ESP) before. I've also skimmed, but probably not understood, the ones on IKE and ISAKMP and OAKLEY too. I've just re-skimmed 2401/2/6 and still don't have the answer.
Re-reading the postings, they're about H.323 proxies, call signalling, and H.245 - some people are talking about H.323 rather than megaco/H.gcp, and that's part of the problem: different threads by different people.
My points are several, and relate to firewalls (as noted by the subject change).
In a mode 3 security association:
- neither endpoint is the same -- The inner and outer tunnels could each be either AH or ESP.
Host 1 --- Security ---- Internet -- Security --- Host 2 | Gwy 1 Gwy 2 | | | | | | --Security Assoc 1 (tunnel)- | | | -----------Security Association 2 (tunnel)-----------
where Security Association 2 is ESP, how is SG1 or SG2 going to do packet filtering and port opening?
Or, if SG1/SG2 is a single entity, as in Case 4:
====================================================== | | |============================== | || | | || ---|----------------------|--- || | | | | H1* ----- (Internet) ------| SG2* ---- (Local ----- H2* | ^ | Intranet) | | ------------------------------ could be dialup admin. boundary (optional) to PPP/ARA server
or SG2, here, is "just" a firewall, instead of a Signalling Gateway.
Assuming that the SA between H1 and H2 involves payload encryption, such as ESP, and is call signalling or H.245, how does SG2 cope with finding the IP/port pairs, even in a text based protocol?
My interest extends beyond megaco/H.gcp, and includes Annex G. How do we handle this in the more general case?
Douglas
At 16:05 1999-03-31 -0800, Matt Holdrege wrote:
You can read RFC 2401 & 2402 to find out about IPsec and AH. And this discussion is about MEGACO/H.GCP which is not the same as H.323.