[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AH (without ESP) on a secure gateway
- To: ben@ascend.com
- Subject: Re: AH (without ESP) on a secure gateway
- From: Ran Atkinson <rja@cisco.com>
- Date: Wed, 4 Dec 1996 10:45:09 -0800
- Cc: ipsec@tis.com
- In-Reply-To: <199611262230.RAA27739@carp.morningstar.com>
- Organization: cisco Systems
- References: <199611261929.OAA01715@thunk.orchard.medford.ma.us>
- Sender: owner-ipsec@ex.tis.com
Earlier, someone (possibly Bill Sommerfeld) wrote:
>> The "policy engines" on each end need to be sophisticated enough to
>> deal with things like this. In particular, if ip-address based access
>> controls are in use, then the policy engine should probably do
>> consistency checks between the SPI and the source address..
Absolutely true. Such checks are important to prevent certain kinds of
attacks and have ALWAYS been present in the NRL implementation.
In article <199611262230.RAA27739@carp.morningstar.com> Ben wrote:
>I believe the RFC states that the Security Association(SA) is
>chosen using only the destination address and the SPI.
Incorrect. It says that the receiver is capable of locating the SA for the
received packet by using SPI and Destination Address.
Ran
rja@cisco.com