[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does ESP do Data Origin Authentication ...

To: Dinesh Jaiswal <dinesh_jaiswal@hotmail.com>
Subject: Re: Does ESP do Data Origin Authentication ...
From: Steven Rosonina <steven_rosonina@yahoo.com>
Date: Tue, 12 Sep 2000 13:45:18 -0700 (PDT)
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Hey Dinesh,

     Data origin authentication happens as follows.  
There is a derivitive of the master session key
created in Phase 1 of IKE negotiation,  I believe this
key is the skeyid_a.  The skeyid_a is the key used in
the HMAC version of the hash algorithm in IPSEC that
is combined with the initial message before it is put
through that hash algorithm.  Since there is an
identification of peers that happens before the master
sessin key is created, either through shared secret or
digital certs etc.. you must have authenticated
yourself before that key was generated. Therfore when
a sender hash is compared against recipient hash and
matches, you have authenticated your peer.  I think
this is how it works. If I am wrong someone please
chime in. Cheers :-)



--- Dinesh Jaiswal <dinesh_jaiswal@hotmail.com> wrote:
> Hi,
> 
>    I am a newbie to the whole concept of IP-Sec, so
> please excuse me if I my 
> question is naive.
> 
>    In RFC2401,Sec 3.2, ESP is defined as a protocol
> that in addition to other 
> things can provide data origin authentication. In
> RFC2406, in Sec 3.1, I 
> find that ESP can authenticate everything in the
> packet except the IP 
> header. However, in tunnel mode, since  the packet
> is tunneled, so ESP can 
> authenticate the original IP header but not the new
> IP header.
> 
>     So, when we say that ESP provides data origin
> authentication, the 
> statement is applicable only for tunnel mode and not
> for transport mode.
> 
>     Is my understanding of this concept correct or
> did I miss something?
> 
> Thanks,
> -Dinesh
>
_________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at
> http://www.hotmail.com.
> 
> Share information about yourself, create your own
> public profile at 
> http://profiles.msn.com.
> 
> 


__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/

Prev by Date: Does ESP do Data Origin Authentication ...
Next by Date: I-D ACTION:draft-hoffman-ipsec-testing-01.txt
Next by thread: Protocol specific and port specific SAs
Index(es):
- Main
- Thread