[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH (without ESP) on a secure gateway

To: ben@ascend.com
Subject: Re: AH (without ESP) on a secure gateway
From: Ran Atkinson <rja@cisco.com>
Date: Wed, 4 Dec 1996 10:45:09 -0800
Cc: ipsec@tis.com
In-Reply-To: <199611262230.RAA27739@carp.morningstar.com>
Organization: cisco Systems
References: <199611261929.OAA01715@thunk.orchard.medford.ma.us>
Sender: owner-ipsec@ex.tis.com

Earlier, someone (possibly Bill Sommerfeld) wrote:
>> The "policy engines" on each end need to be sophisticated enough to
>> deal with things like this.  In particular, if ip-address based access
>> controls are in use, then the policy engine should probably do
>> consistency checks between the SPI and the source address..

Absolutely true.  Such checks are important to prevent certain kinds of
attacks and have ALWAYS been present in the NRL implementation.

In article <199611262230.RAA27739@carp.morningstar.com> Ben wrote:
>I believe the RFC states that the Security Association(SA) is
>chosen using only the destination address and the SPI.  

Incorrect.  It says that the receiver is capable of locating the SA for the
received packet by using SPI and Destination Address.

Ran
rja@cisco.com

Prev by Date: Re: AH (without ESP) on a secure gateway
Next by Date: Re: ANNOUNCEMENT: 1997 RSA Data Security Conference
Prev by thread: Re: AH (without ESP) on a secure gateway
Next by thread: Re: AH (without ESP) on a secure gateway
Index(es):
- Main
- Thread