[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why can't ESP authenticate IP header?
At 5:57 PM -0400 9/21/01, john ipsec wrote:
>In RFC-2406 (ESP), in "Introduction," it says:
>
>"ESP is used to provide confidentiality, data origin authentication,
>connectionless integrity, an anti-replay service (a form of partial
>sequence integrity), and limited traffic flow confidentiality."
>
>How can it provide "data origin authentication" in transport mode?
>
>John
>
>_
here data origin authentication is effected by binding the ESP
payload (in either mode) to the SA over which it is carried. That SA
specifies the granularity of data origin authentication, which might
be per subnet, per host, per process, ...
Steve
References: