[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: data origin authentication
> I have been reading more carefully through the rfc (not through the draft
> yet). I is correct to say
> that if ESP is used in transport mode, there is no data origin
> authentication?
No. It's underspecified.
> I would say this because the IP header, containing the source IP
> address is not authenticated. Or am I missing something here?
Implementations often allow a specific source address to be bound to
the SA in transport mode -- if the packet's source doesn't match the
SA source, the packet is dropped. (PF_KEY provides exactly this
mechanism).
memcmp() with a known quantity is a stronger integrity check than
hmac-sha1. ;-)
- Bill