Re: Why can't ESP authenticate IP header?

[Stephen Kent <kent@bbn.com>]

At 4:22 PM -0700 9/21/01, Pravin Kantak wrote:
>At 06:18 PM 9/21/01 -0400, Bill Sommerfeld wrote:
>>  > How can it provide "data origin authentication" in transport mode?
>>
>>By allowing SA's to have a source address attribute and checking this
>>on receipt (as suggested by Steve Bellovin a long time ago).
>>
>>You don't need to include the source address in the hash function if
>>you do a literal compare between the packet source address and the
>>source address of the SA.
>
>         bill, i hope you are talking AH. afaik, ESP processing does 
>not include the source IP address in hash function. IPSec standard 
>does not talk about comparing packet source IP address and SA source 
>IP address. it mentions comparing packet's  "destination address + 
>SPI + security protocol" against same triplet in SADB.

Look at 5.2.1 in RFC 2401. That text specifies the matching of the 
header info in the received (decrypted) packet against the SPD entry 
associated with the SA in question. Your reference above is for SA 
selection at a receiver, not checking of the inbound packet for 
consistency with the SA selectors.

Steve

---

References:

• Re: Why can't ESP authenticate IP header?
• From: Pravin Kantak <pravin@intotoinc.com>

---

• Prev by Date: Re: Why can't ESP authenticate IP header?
• Next by Date: Re: Why can't ESP authenticate IP header?
• Prev by thread: Re: Why can't ESP authenticate IP header?
• Next by thread: Re: Why can't ESP authenticate IP header?
• Index(es):
  • Main
  • Thread