Re: Question

[Daniel Harkins <dharkins@cisco.com>]

  AH doesn't encrypt so you don't have to worry about that. But more
to your question....

  If you've found the SA and finished IPSec processing on the packet (e.g.
authenticate and decrypt) then the packet is authenticated and decrypted.
You're free to inspect inner headers since they're now in the clear. If the 
inner packet itself is encrypted with ESP then check whether the SA under 
which you processed the packet was created with the protocol selector = ESP, 
or whether it was wildcarded. If either then pass; if not, drop.

  ISAKMP allows for protocol and port as well as address (and wildcards on
any or all) to constrain IPSec SAs upon creation. It is incumbent upon
implementations to check that the processed packet matches the characteristics
of the SA with which it was processed. If someone sends you a ftp packet
to host X protected by an SA that was created for telnet to host Y then drop 
the packet.

  Dan.

>     I have a question regarding selecting and using an SA or SA Bundle
> during the processing of Inbound IPSEC traffic.
> 
> In draft-ietf-ipsec-arch-sec-02.txt by Randall Atkinson, November 1997
> on page 30, it says that
> 
>   " 2. Use the SA found to do the IPsec processing, e.g., authenticate and
> decrypt. This step includes matching the packet's ( Inner Header if
> tunneled ) selectors to the selectors in the SA. "
>   
>   My Question is
> 
>      If the received packet has been encrypted with AH as well as ESP
> protocols, then the data following the ESP header will be encrypted, so how
> can we able to get the Inner IP header's selectors  for comparing them with
> the SA's selectors  ? 
> 
> 
>                                           Thanks in Advance
> 							Rohit

---

References:

• Question
• From: rohit <rohit@trinc.com>

---

• Prev by Date: Question
• Next by Date: March IPsec workshop!
• Prev by thread: Question
• Next by thread: Re: Question
• Index(es):
  • Main
  • Thread