RE: Transport / Tunnel Mode

[Henry Spencer <henry@spsystems.net>]

On Wed, 29 Nov 2000, Andrew Krywaniuk wrote:
> And isn't there also the issue that you couldn't use ESP authentication with
> sgw-sgw or host-sgw transport mode? AH would again become mandatory in order
> to protect the outer (and only) header.

Not (absolutely) necessarily.  In IPv4 in particular, AH protects very
little that's of interest except the source and destination addresses. 
Remember that authentication tells you not only that the packet has not
been altered in transit, but also that it did actually come from the other
end of that SA.  Depending on which packets are flowing through which SAs,
the mere fact that a packet emerged from a particular SA (and passed its
authentication) might be enough to verify source and destination addresses. 

As others have noted, and as RFC 2401 explicitly states in 4.1, the bottom
line is that multiple fragments may not follow the same route to reach
their destination.  So when decryption (etc.) is being done by an
interposed security gateway rather than by the end host, the security
gateway must be the ostensible destination of the packet, so it can be
sure it gets all the fragments.

                                                          Henry Spencer
                                                       henry@spsystems.net

---

Follow-Ups:

• RE: Transport / Tunnel Mode
• From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

References:

• RE: Transport / Tunnel Mode
• From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

---

• Prev by Date: RE: Transport / Tunnel Mode
• Next by Date: RE: Transport / Tunnel Mode
• Prev by thread: RE: Transport / Tunnel Mode
• Next by thread: RE: Transport / Tunnel Mode
• Index(es):
  • Main
  • Thread