[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why can't ESP authenticate IP header?

To: Michael Thomas <mat@cisco.com>
Subject: Re: Why can't ESP authenticate IP header?
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Sun, 23 Sep 2001 14:54:11 +0200
cc: Dan McDonald <danmcd@East.Sun.COM>, john ipsec <ipsec123@hotmail.com>, ipsec@lists.tislabs.com
In-reply-to: Your message of Sat, 22 Sep 2001 11:55:56 PDT. <15276.57020.932624.330098@thomasm-u1.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:
   
   Doesn't this make multi homing problematic,
   especially for transport mode?

=> yes for the transport mode but should not for the tunnel mode
(RFC 2401 specifies clearly that the *outer* source address should
*not* be checked).

   It implies that I
   have to have an established SA for each interface
   since the *real* security binding is the three
   tuple of (src-ip, identity (via spi), key). This
   sort of sucks.
   
=> note that the issue is symmetrical, i.e. if the destination is
multi-homed then you have to use several SAs or to add address sets
in valid selectors or to implement something based on names (this is
in RFC 2401 but I never see a concrete implementation of this for SADB).
So multi-homing is like mobility: doesn't live in a pleasant way
together with IPsec today...

Regards

Francis.Dupont@enst-bretagne.fr

References:

Re: Why can't ESP authenticate IP header?

From: Michael Thomas <mat@cisco.com>

Prev by Date: Re: Why can't ESP authenticate IP header?
Next by Date: Re: Why can't ESP authenticate IP header?
Prev by thread: Re: Why can't ESP authenticate IP header?
Next by thread: Re: Why can't ESP authenticate IP header?
Index(es):
- Main
- Thread