Re: Does ESP do Data Origin Authentication ...

[Stephen Kent <kent@bbn.com>]

Dinesh,


<excerpt>Hi,


  I am a newbie to the whole concept of IP-Sec, so please excuse me if
I my question is naive.


  In RFC2401,Sec 3.2, ESP is defined as a protocol that in addition to
other things can provide data origin authentication. In RFC2406, in Sec
3.1, I find that ESP can authenticate everything in the packet except
the IP header. However, in tunnel mode, since  the packet is tunneled,
so ESP can authenticate the original IP header but not the new IP
header.


   So, when we say that ESP provides data origin authentication, the
statement is applicable only for tunnel mode and not for transport
mode.


   Is my understanding of this concept correct or did I miss
something?


</excerpt>

Data Origin authentication in ESP (and AH) is provided for the IP
<underline>payload</underline>, based on the identity verified during
SA establishment, e.g., via IKE. Thus, this service is offered in both
tunnel and transport modes. Recall that the receiver checks the
selectors from the IP header against the appropriate SAD entries after
IPsec processing, which ensures that those values are consistent with
the ones established during SA establishment. So, there is some
implicit integrity and authenticity checking applied to those fields in
transport mode.


Steve

---

References:

• Does ESP do Data Origin Authentication ...
• From: "Dinesh Jaiswal" <dinesh_jaiswal@hotmail.com>

---

• Prev by Date: Re: I-D ACTION:draft-lordello-ipsec-vpn-doi-00.txt
• Next by Date: Does ESP do Data Origin Authentication ...
• Next by thread: Protocol specific and port specific SAs
• Index(es):
  • Main
  • Thread