Re: data origin authentication

[Joern Sierwald <joern@f-secure.com>]

At 16:29 07.05.2002 +0200, you wrote:
 >Hello All,
 >
 >In rfc 2406 "IP Encapsulating Security Payload", and also in
 >draft-ietf-ipsec-esp-v3-02.txt,
 >I read: "EPS is used to provide confidentiality, data origin authentication,
 >connectionless integrity,
 >an anti-replay service (a form of partial sequence integrity), and limited
 >traffic flow confidentiality.
 >The set of services provided depends on options selected at the time of
 >Security Association (SA)
 >establishment and on the location of the implementation in a network
 >topology."
 >
 >I have been reading more carefully through the rfc (not through the draft
 >yet). I is correct to say
 >that if ESP is used in transport mode, there is no data origin
 >authentication? I would say this because
 >the IP header, containing the source IP address is not authenticated.
 >Or am I missing something here?
 >
 >
 >Greetings,
 >
 >Stefan.

I guess you are missing something. You receive an ESP packet. By looking up
<dst IP address, protocol (ESP), SPI> you find the IPsec SA.

Now, since you negotiated the SA for transport mode, the SA data will 
contain the
remote IP address. The SA entry states "<dst addr 1.2.3.4 (that's us), ESP, 
SPI 0x61782395>, that
should come from 5.6.7.8". And if it doesn't, you can discard the packet.

Or, to explain it in another way:

Transport mode: src IP address is the same for all packets. Easy to check.
Tunnel mode: src IP addresses (inner header) can vary. Therefore is must be 
authenticated.

Jörn