Re: (IPng) More Endpoint Attributes

[Ran Atkinson <rja@bodhi.cs.nrl.navy.mil>]

On Mar 16, 16:21, Andy Bayerl wrote:

% Basically, you are saying that when the ESP or AH are present, the
% (C)IPSO options inherit the goodness of the authentication mechanisms,
% since they are part of the IP header stream covered by the ESP and/or
% the AH.
%
% Is that correct?

Andy,

I'm not entirely comfortable with your wording, but I think that is
the general thrust of what I've been trying to say.

To put it another way, the ESP and AH mechanisms are designed to
provide general-use cryptographic security to the IP-layer.  Hence
they could be used to provide cryptographic security to things in that
layer and above that layer.

I should note that one might use ESP to encrypt the TCP portion but
not encrypt the IP portion.  In that case, things below TCP would not
be protected.  {One can ubstitute other upper-layer protocols such as
but not limited to UDP and ICMP for TCP in the above example}.

In the other case, one might use ESP to encrypt an entire IP datagram.
In that case, the entire encrypted IP datagram would be protected.

AH can't protect IP-layer fields that must change during transit if
their value at the destination cannot be predicted a priori.  The
usual example of a field that can't be protected is the IPv4 TTL or
IPv6 Hop Limit (which are the same field really, but have different
names in the two versions of IP :-).  IPSO is not a field which should
normally change in transit from source to destination.

Am I being more clear now ?

Ran
atkinson@itd.nrl.navy.mil

---

• Prev by Date: Re: (IPng) More Endpoint Attributes
• Next by Date: Routing
• Next by thread: Re: (IPng) Proposed Standard or no?
• Index(es):
  • Main
  • Thread