Re: Why can't ESP authenticate IP header?

[Michael Thomas <mat@cisco.com>]

Doesn't this make multi homing problematic,
especially for transport mode? It implies that I
have to have an established SA for each interface
since the *real* security binding is the three
tuple of (src-ip, identity (via spi), key). This
sort of sucks.

In fact, I'll bet what's really lurking here is
the desire to have application layer cross
checking since what you're effectively doing is
providing a (weak) check to filter out
authenticated but unauthorized traffic (ie,
filtering crypto protected source spoofing).

		 Mike


Dan McDonald writes:
 > Consider this way-out corner case:
 > 
 > 	- I have an inbound AH SA <dst=me, spi=0x9999, src = weirdo>
 > 
 > 	- Machine "weirdo" sends me an IP datagram with src=other-guy, dst=me
 > 	  with AH, and the cryptography checks out.
 > 
 > 	- Because my inbound SA has src = weirdo, I reject the inbound AH
 > 	  SA at SA lookup time.
 > 
 > If you have a need for a multi-sender SA (e.g. multicast), you should set src
 > = INADDR{,6}_ANY on your SAs.
 > 
 > > What confuses me is that ESP provides authentication similar to AH, but does 
 > > it in a different way.
 > 
 > Yes it is confusing.  (There's much historical weirdness as to how this came
 > about.)
 > 
 > Dan

---

Follow-Ups:

• Re: Why can't ESP authenticate IP header?
• From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
• Re: Why can't ESP authenticate IP header?
• From: Stephen Kent <kent@bbn.com>

References:

• Re: Why can't ESP authenticate IP header?
• From: "john ipsec" <ipsec123@hotmail.com>
• Re: Why can't ESP authenticate IP header?
• From: Dan McDonald <danmcd@East.Sun.COM>

---

• Prev by Date: Re: Why can't ESP authenticate IP header?
• Next by Date: Re: Why can't ESP authenticate IP header?
• Prev by thread: Re: Why can't ESP authenticate IP header?
• Next by thread: Re: Why can't ESP authenticate IP header?
• Index(es):
  • Main
  • Thread