[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why can't ESP authenticate IP header?

To: Stephen Kent <kent@bbn.com>
Subject: Re: Why can't ESP authenticate IP header?
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Sat, 22 Sep 2001 12:27:39 +0200
cc: Bora Akyol <akyol@allegrosys.com>, ipsec@lists.tislabs.com
In-reply-to: Your message of Fri, 21 Sep 2001 18:16:08 EDT. <p05010400b7d16bf84865@[128.33.84.34]>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   The use of IPsec I referred to was precisely for point-to-point
  router authentication and integrity and is used in lieu of the TCP MD5
  checksum hack, since that hack is not cryptographically strong and
  since it lacks an automated key management protocol.
   
=> the main drawback of the MD5 checksum hack is that this doesn't
provide a defense against TCP RST attacks (or any attacks at layer 3).
IMHO now IPsec is available on routers so you should consider to switch
from MD5 checksum hacks to IPsec. We proposed this for IPv6 routers
(which are supposed to get IPsec with IPv6 :-): there was a proposal
to make AH mandatory for BGP in the 6-bone many years ago.

Thanks

Francis.Dupont@enst-bretagne.fr

References:

RE: Why can't ESP authenticate IP header?

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Why can't ESP authenticate IP header?
Next by Date: Re: Why can't ESP authenticate IP header?
Prev by thread: RE: Why can't ESP authenticate IP header?
Next by thread: Re: Why can't ESP authenticate IP header?
Index(es):
- Main
- Thread