[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ESP and AH combinations

To: ipsec@ans.net
Subject: ESP and AH combinations
From: daw@cs.berkeley.edu (David Wagner)
Date: Fri, 29 Dec 1995 16:26:26 -0500
Reply-To: ipsec@ans.net
Sender: ipsec-owner@ans.net

>IMHO, the combination of IP-AH-AH-ULP isn't sensible.  It adds no value
>to the IP-AH-ULP combination.

Hrmm, so are you saying that there are no useful situations where
you'd want two private keys to sign the same data; or that in these
situations, people should use IP-AH-IP-AH?

>  If AH didn't protect bits of the IP header, then AH would be useless
>because it wouldn't provide efficient packet-origin authentication

Today's AH doesn't provide authentication of the IP src address either!

I think that this reflects a subtle misconception in the way people
are viewing the guarantees AH provides.  If you receive an IP packet P
protected by AH with integrity key K, then you can conclude "K says P",
but not necessarily that "P.ip_src says P".  Don't be fooled into thinking
that AH's crypto magically provides a more secure form of source-based
authentication.  IP-source-addr-based authentication is a confusing &
outmoded perspective, IMHO; AH really provides key-based authentication.
I think the difference is important.

(You can easily see the difference when several IP hosts use the same
signing key K; then any one of those could impersonate any of the others,
so upon receiving a packet signed by K, you can only conclude that it
came from key K, i.e. from one of those IP hosts.)

If you trust everyone who has the signing key refrain from tampering
with other parties who have the same signing key, and you're willing to
trust the IP source address & use source-based authentication for packets
signed with that key, and you're worried about active attacks from
outside parties, then and only then does protecting the source address
in the IP header help you.  One might say that including the IP header
in the MAC input can provide only additional message integrity protection
for the IP src addr but no additional packet-origin authentication.

>there is ample evidence that AH as currently specified can be built and
>interoperate.

You're right, this is an old argument.  I'll drop it.  I just responded
because I wanted to point out the difference between "K says P" and
"P.ip_src says P".

Prev by Date: Re: ICMP Security Failures
Next by Date: Re: AH/ESP & Replay Protection
Prev by thread: Re: I-D ACTION:draft-krawczyk-keyed-md5-01.txt
Next by thread: Re: ESP and AH combinations
Index(es):
- Main
- Thread