[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MSEC] Re: mluticast authentication using AH

To: Mark Baugher <mbaugher@cisco.com>
Subject: Re: [MSEC] Re: mluticast authentication using AH
From: Dan McDonald <danmcd@East.Sun.COM>
Date: Wed, 13 Jun 2001 10:14:24 -0400 (EDT)
CC: Dan McDonald <Dan.McDonald@sun.com>, ipsec@lists.tislabs.com, msec@securemulticast.org
In-Reply-To: <4.3.2.7.2.20010613070758.042d0d10@mira-sjc5-6.cisco.com> from MarkBaugher at "Jun 13, 2001 07:08:45 am"
Organization: Sun Microsystems, Inc. - Solaris Internet Engineering
Sender: owner-ipsec@lists.tislabs.com

> > > AH SHOULD HAVE supported authentication with digital signatures.
> >
> >There's nothing, I believe, about AH that prevents digital signatures from
> >being used.
> >
> >The Authentication Data area can be made up to 1016 bytes (just shy of
> >8kbits) per 2402.  That should be plenty of room for a digital signature.
> >
> >Dan
> 
> How is this signalled?

It's part of the IPsec Security Association data.  Per 2401, an SA is indexed
by the tuple <AH, SPI, IP destination address>.  When you add the appropriate
SA, you get all sorts of data, including the algorithm.

All one would need to do is write a new "algorithm document" for using a
digital signature with AH.  It shouldn't be tough, and if I had cycles (HAH!)
I could easily prototype one in Solaris.

Dan

Follow-Ups:

Re: [MSEC] Re: mluticast authentication using AH

From: chris stillson <stillson@stillson.eng.sun.com>

References:

Re: [MSEC] Re: mluticast authentication using AH

From: Mark Baugher <mbaugher@cisco.com>

Prev by Date: Re: [MSEC] Re: mluticast authentication using AH
Next by Date: The use HMAC
Prev by thread: Re: [MSEC] Re: mluticast authentication using AH
Next by thread: Re: [MSEC] Re: mluticast authentication using AH
Index(es):
- Main
- Thread