[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: users and connections
The term "connection-oriented integrity" is not really appropriate
in the IPSEC environment, even when the anti-replay option is enabled. The
fact that we may provide keying at a per-connection or per-user granularity
does not, in itself, represent connection-oriented integrity. What we
provide is data origin authentication and connectionless integrity, and
anti-replay provides what might be termed "partial" sequence integrity.
However, we don't treat out of order arrival to be an error, unless it
represents a (real or potential) replay, so what we provide in IPSEC is not
connection-oriented integrity (as per ISO 7498-2). However, if we have TCP
operating above IPSEC, and we are employing integrity (with or without
anti-replay) then we are supporting connection-oriented integrity provided
by TCP, even though IPSEC is not providing this service per se.