[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Death to AH (was Re: SA identification)
> - Multicast where multiple sources share the same SA:
> If so, the AH MAC doesn't help, because each of the sources
> can spoof each other.
I'm worried about someone who is not a member of the multicast group
(i.e., not in posession of the SA's key) substituting a different
source address and thus subverting a communication between members of
the group.
> In addition, all receivers who can verify the correctness of the AH
> MAC can forge valid MAC's, so I don't see how the MAC over the IP source
> address is buying you anything. Where did I go wrong?
It protects against forgery/tampering by parties not in posession of
the SA's key.
- Bill
References: