[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Questions on the Security Arch. draft
Hi. I had a question on section 1.4 of the Security Architecture
draft (draft-ietf-ipsec-arch-sec-01.txt). Specifically, the draft
says :
"A security gateway which receives a datagram containing a
recognised sensitivity label, for example IPSO [Ken91], from a trusted
host MUST take that label's value into consideration when
creating/selecting an Security Association for use with AH between the
gateway and the external destination. In such an environment, a
gateway which receives a IP packet containing the IP Encapsulating
Security Payload (ESP) should add appropriate authentication,
including implicit (i.e. contained in the Security Association used)
or explicit label information (e.g. IPSO), for the decrypted packet
that it forwards to the trusted host that is the ultimate
destination."
I don't get the last part about the gateway adding authentication
information for the decrypted packet. Does this mean that the gateway
uses the SA that it used to decrypt the packet, to generate the
authentication info? That really doesn't make sense to me since AH
and ESP have separate SAs and also since any given security
association is for use with one peer only. Or, is it that the gateway
has a security association with the trusted host and tunnels all the
packets for that host using this SA?
Thanks,
Sumit A. Vakil
Software Engineer
US Robotics, Access Corp.
Follow-Ups: