[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Death to AH (was Re: SA identification)

To: daw@cs.berkeley.edu (David Wagner)
Subject: Re: Death to AH (was Re: SA identification)
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
Date: Sat, 24 Mar 2001 21:06:07 +0900
Cc: ipsec@lists.tislabs.com
In-reply-to: daw's message of 23 Mar 2001 23:21:48 GMT. <99glqc$4nd$1@abraham.cs.berkeley.edu>
Sender: owner-ipsec@lists.tislabs.com


>Bill Sommerfeld  wrote:
>>In the case of multicast SA's, AH's checksum over the IP source
>>address protects the ip source address from tampering.
>I promised myself I wouldn't get into the "Death to AH" argument, but...
>Could you elaborate?  I can see only two cases:
>- Multicast where multiple sources share the same SA:
>    If so, the AH MAC doesn't help, because each of the sources 
>    can spoof each other.

	why do you consider AH so special here?
	whoever has the secret key for an SA can forge anything over SA.

itojun

References:

Re: Death to AH (was Re: SA identification)

From: daw@mozart.cs.berkeley.edu (David Wagner)

Prev by Date: Re: Death to AH (was Re: SA identification)
Next by Date: Re: Death to AH (was Re: SA identification)
Prev by thread: Re: Death to AH (was Re: SA identification)
Next by thread: Re: Death to AH (was Re: SA identification)
Index(es):
- Main
- Thread