[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AH (without ESP) on a secure gateway
> My question is whether AH on a secure gateway even makes sense at all
> if ESP is not being performed.
>
> Consider hostA sending a packet to hostB. If gatewayA places an AH on
> the packet, it would appear as if it was authenticated by hostA, not a
> good idea in my mind.
If a router places an AH on the packet, it must do so using an
outbound SPI to some other host/router.
The corresponding inbound SPI on that host should specify that the
sender is a gateway, not a host.
The "policy engines" on each end need to be sophisticated enough to
deal with things like this. In particular, if ip-address based access
controls are in use, then the policy engine should probably do
consistency checks between the SPI and the source address..
- Bill
Follow-Ups:
References: