[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why can't ESP authenticate IP header?

To: sommerfeld@East.Sun.COM
Subject: Re: Why can't ESP authenticate IP header?
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Sat, 22 Sep 2001 12:16:52 +0200
cc: Pravin Kantak <pravin@intotoinc.com>, "john ipsec" <ipsec123@hotmail.com>, kent@bbn.com, ipsec@lists.tislabs.com
In-reply-to: Your message of Fri, 21 Sep 2001 19:26:23 EDT. <200109212326.f8LNQNE11715@thunk.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   We bind the SA to the source address.
   
   repeating myself:
   
   We do a COMPARE between the packet's source address and the SA's
   source address (if it has one).
   
=> this is in RFC 2401 5.2.1 step 2 mandatory checks for inbound traffic.
But for tunnel mode, do you perform the check on the right source address,
the wrong one or on both (cf RFC 2401 r.1.2.1 note 3)?

Thanks

Francis.Dupont@enst-bretagne.fr

PS: the thread is about transport mode where there is only one header so
one source address (which MUST be checked against the SA selector which
can be a wildcard).

References:

Re: Why can't ESP authenticate IP header?

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

Prev by Date: need a pointer
Next by Date: Re: Why can't ESP authenticate IP header?
Prev by thread: Re: Why can't ESP authenticate IP header?
Next by thread: Re: Why can't ESP authenticate IP header?
Index(es):
- Main
- Thread