[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE



 In your previous mail you wrote:

   > => this "authentication" by side effect is mandatory according to RFC
   > 2401 5.2.1 step 2 but:
   >  - it doesn't work with tunnel mode
   
   I'm probably missing something obvious, but why doesn't comparing the SA
   against the (two) IP headers work for tunnel mode?
   
=> RFC 2401 specifies that only the inner addresses must be checked
in tunnel mode (inbound processing rules, 5.2.1). The outer destination
is used for SA lookup so must be right, the outer source should not be
checked  (5.1.2.1 footnote 3 note). Many implementations incorrectly
implement an outer source address check in tunnel mode and this does
not work well with mobility/multihoming/NAT/...

Regards

Francis.Dupont@enst-bretagne.fr

PS: the outer/inner header stuff for SADB and SPD is the only difference
from the security point of view between tunnel mode and transport + IPinIP
for ESP (AH tunnel mode is different but not used).


References: