[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why can't ESP authenticate IP header?
At 11:55 AM -0700 9/22/01, Michael Thomas wrote:
>Doesn't this make multi homing problematic,
>especially for transport mode? It implies that I
>have to have an established SA for each interface
>since the *real* security binding is the three
>tuple of (src-ip, identity (via spi), key). This
>sort of sucks.
>
>In fact, I'll bet what's really lurking here is
>the desire to have application layer cross
>checking since what you're effectively doing is
>providing a (weak) check to filter out
>authenticated but unauthorized traffic (ie,
>filtering crypto protected source spoofing).
>
> Mike
Mike,
I would not characterize this as "application layer cross checking."
Access control is the motivation for this check, and it is consistent
with the principle of least privilege. We have many examples of
systems that have been vulnerable because they made the assumption
that everyone peer is "trusted." We often hear folks use this sort of
terminology in discussing IPsec SAs. A compliant IPsec
implementation, using the SPD, expresses access control constraints
on all communication that passes through it. The check performed by a
receiver after IPsec processing ensures that no peer can violate the
access control parameters that characterize the SA carrying traffic
from that peer. This is just good security engineering. Yes, the
traffic has passed a cryptographic data origin authentication check,
but a failure to perform this check would undermine the access
control features. Relative to the stated goals, the check is not
"weak;" it is precise.
Steve
Follow-Ups:
References: