[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [MSEC] Re: mluticast authentication using AH
> > > AH SHOULD HAVE supported authentication with digital signatures.
> >
> >There's nothing, I believe, about AH that prevents digital signatures from
> >being used.
> >
> >The Authentication Data area can be made up to 1016 bytes (just shy of
> >8kbits) per 2402. That should be plenty of room for a digital signature.
> >
> >Dan
>
> How is this signalled?
It's part of the IPsec Security Association data. Per 2401, an SA is indexed
by the tuple <AH, SPI, IP destination address>. When you add the appropriate
SA, you get all sorts of data, including the algorithm.
All one would need to do is write a new "algorithm document" for using a
digital signature with AH. It shouldn't be tough, and if I had cycles (HAH!)
I could easily prototype one in Solaris.
Dan
Follow-Ups:
References: