[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why can't ESP authenticate IP header?

To: "john ipsec" <ipsec123@hotmail.com>
Subject: Re: Why can't ESP authenticate IP header?
From: Stephen Kent <kent@bbn.com>
Date: Fri, 21 Sep 2001 18:18:26 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <F380F3praZfBGagwiIq00002670@hotmail.com>
References: <F380F3praZfBGagwiIq00002670@hotmail.com>
Sender: owner-ipsec@lists.tislabs.com

At 5:57 PM -0400 9/21/01, john ipsec wrote:
>In RFC-2406 (ESP), in "Introduction," it says:
>
>"ESP is used to provide confidentiality, data origin authentication,
>connectionless integrity, an anti-replay service (a form of partial
>sequence integrity), and limited traffic flow confidentiality."
>
>How can it provide "data origin authentication" in transport mode?
>
>John
>
>_

here data origin authentication is effected by binding the ESP 
payload (in either mode) to the SA over which it is carried.  That SA 
specifies the granularity of data origin authentication, which might 
be per subnet, per host, per process, ...

Steve

References:

Re: Why can't ESP authenticate IP header?

From: "john ipsec" <ipsec123@hotmail.com>

Prev by Date: Re: Why can't ESP authenticate IP header?
Next by Date: Re: Why can't ESP authenticate IP header?
Prev by thread: Re: Why can't ESP authenticate IP header?
Next by thread: Re: Why can't ESP authenticate IP header?
Index(es):
- Main
- Thread