[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH (without ESP) on a secure gateway

To: "Whelan, Bill" <bwhelan@nei.com>
Subject: Re: AH (without ESP) on a secure gateway
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Tue, 26 Nov 1996 14:28:31 -0500
Cc: ipsec@tis.com
In-Reply-To: bwhelan's message of Mon, 25 Nov 1996 18:59:16 -0500. <9610258489.AA848977264@netx.nei.com>
Sender: owner-ipsec@ex.tis.com

>      My question is whether AH on a secure gateway even makes sense at all 
>      if ESP is not being performed.
>      
>      Consider hostA sending a packet to hostB.  If gatewayA places an AH on 
>      the packet, it would appear as if it was authenticated by hostA, not a 
>      good idea in my mind.

If a router places an AH on the packet, it must do so using an
outbound SPI to some other host/router.

The corresponding inbound SPI on that host should specify that the
sender is a gateway, not a host.

The "policy engines" on each end need to be sophisticated enough to
deal with things like this.  In particular, if ip-address based access
controls are in use, then the policy engine should probably do
consistency checks between the SPI and the source address..


						- Bill

Follow-Ups:

Re: AH (without ESP) on a secure gateway

From: Ben Rogers <ben@morningstar.com>

References:

AH (without ESP) on a secure gateway

From: "Whelan, Bill" <bwhelan@nei.com>

Prev by Date: Document Action: HMAC-MD5: Keyed-MD5 for Message Authentication to Informational
Next by Date: Re: AH (without ESP) on a secure gateway
Prev by thread: AH (without ESP) on a secure gateway
Next by thread: Re: AH (without ESP) on a secure gateway
Index(es):
- Main
- Thread