[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why can't ESP authenticate IP header?
In your previous mail you wrote:
Doesn't this make multi homing problematic,
especially for transport mode?
=> yes for the transport mode but should not for the tunnel mode
(RFC 2401 specifies clearly that the *outer* source address should
*not* be checked).
It implies that I
have to have an established SA for each interface
since the *real* security binding is the three
tuple of (src-ip, identity (via spi), key). This
sort of sucks.
=> note that the issue is symmetrical, i.e. if the destination is
multi-homed then you have to use several SAs or to add address sets
in valid selectors or to implement something based on names (this is
in RFC 2401 but I never see a concrete implementation of this for SADB).
So multi-homing is like mobility: doesn't live in a pleasant way
together with IPsec today...
Regards
Francis.Dupont@enst-bretagne.fr
References: