[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Deprecation of AH header from the IPSEC tool kit

To: Radia Perlman <Radia.Perlman@East.Sun.COM>, ipsec@lists.tislabs.com
Subject: RE: Deprecation of AH header from the IPSEC tool kit
From: Chris Trobridge <CTrobridge@baltimore.com>
Date: Fri, 16 Jun 2000 08:07:47 +0100
Sender: owner-ipsec@lists.tislabs.com

> Ran said:
> 
> >>	         A counter-example is the Source Routing 
> header, which can
> >>	be authenticated hop-by-hop with AH ...
> 
> How do you authenticate something hop-by-hop when the key is only
> known end-to-end? Are you maybe assuming hop-by-hop IPSec 
> tunnels between the
> routers listed in the source route header?
> 
> Radia
>

Intermediate hops can't use the end to end AH to verify the datagram.

Of course the end point can check that the source route hasn't been modified
in transit.  I'm not sure what attacks this prevents beyond denial of
service though?

Chris

Prev by Date: RE: Deprecation of AH header from the IPSEC tool kit
Next by Date: Phase 2 IDs
Prev by thread: RE: Deprecation of AH header from the IPSEC tool kit
Next by thread: Re: Deprecation of AH header from the IPSEC tool kit
Index(es):
- Main
- Thread