[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why can't ESP authenticate IP header?



At 06:18 PM 9/21/01 -0400, Bill Sommerfeld wrote:
> > How can it provide "data origin authentication" in transport mode?
>
>By allowing SA's to have a source address attribute and checking this
>on receipt (as suggested by Steve Bellovin a long time ago).
>
>You don't need to include the source address in the hash function if
>you do a literal compare between the packet source address and the
>source address of the SA.

         bill, i hope you are talking AH. afaik, ESP processing does not 
include the source IP address in hash function. IPSec standard does not 
talk about comparing packet source IP address and SA source IP address. it 
mentions comparing packet's  "destination address + SPI + security 
protocol" against same triplet in SADB.

>Solaris's IPsec does this.

         if solaris does this, then most probably it has interop issues.

- pravin

>                                                 - Bill



*********************************************************************
Pravin Kantak,                          http://www.intotoinc.com
Intoto Inc.                             voice : (408)844-0480 Ext 318
3160, De La Cruz Blvd, #100,            fax   : (408)844-0488
Santa Clara, CA - 95054
*********************************************************************



Follow-Ups: References: