[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why can't ESP authenticate IP header?



> >You don't need to include the source address in the hash function if
> >you do a literal compare between the packet source address and the
> >source address of the SA.
> 
>          bill, i hope you are talking AH. afaik, ESP processing does not 
> include the source IP address in hash function. 

We don't include the source address in the ESP hash function.

We bind the SA to the source address.

repeating myself:

We do a COMPARE between the packet's source address and the SA's
source address (if it has one).

> IPSec standard does not talk about comparing packet source IP
> address and SA source IP address. it mentions comparing packet's
> "destination address + SPI + security protocol" against same triplet
> in SADB.
> 
> >Solaris's IPsec does this.
> 
>          if solaris does this, then most probably it has interop
> issues.

we interoperate quite well in transport mode, thank you.

					- Bill


Follow-Ups: References: