[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Simplifying IKE



>    As Steve Bellovin has pointed out on numerous occasions, the IP
header
>    in transport-mode ESP can be "authenticated" merely by doing a
compare
>    of the source and destination addresses against static state in the
>    SA...
>
> => this "authentication" by side effect is mandatory according to RFC
> 2401 5.2.1 step 2 but:
>  - it doesn't work with tunnel mode

I'm probably missing something obvious, but why doesn't comparing the SA
against the (two) IP headers work for tunnel mode?

Lars
--
Lars Eggert <larse@isi.edu>               Information Sciences Institute
http://www.isi.edu/larse/              University of Southern California

smime.p7s


Follow-Ups: References: