[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Simplifying IKE
> As Steve Bellovin has pointed out on numerous occasions, the IP
header
> in transport-mode ESP can be "authenticated" merely by doing a
compare
> of the source and destination addresses against static state in the
> SA...
>
> => this "authentication" by side effect is mandatory according to RFC
> 2401 5.2.1 step 2 but:
> - it doesn't work with tunnel mode
I'm probably missing something obvious, but why doesn't comparing the SA
against the (two) IP headers work for tunnel mode?
Lars
--
Lars Eggert <larse@isi.edu> Information Sciences Institute
http://www.isi.edu/larse/ University of Southern California
smime.p7s
Follow-Ups:
References: