[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why can't ESP authenticate IP header?
> >You don't need to include the source address in the hash function if
> >you do a literal compare between the packet source address and the
> >source address of the SA.
>
> bill, i hope you are talking AH. afaik, ESP processing does not
> include the source IP address in hash function.
We don't include the source address in the ESP hash function.
We bind the SA to the source address.
repeating myself:
We do a COMPARE between the packet's source address and the SA's
source address (if it has one).
> IPSec standard does not talk about comparing packet source IP
> address and SA source IP address. it mentions comparing packet's
> "destination address + SPI + security protocol" against same triplet
> in SADB.
>
> >Solaris's IPsec does this.
>
> if solaris does this, then most probably it has interop
> issues.
we interoperate quite well in transport mode, thank you.
- Bill
Follow-Ups:
References: