[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: data origin authentication

To: Goeman Stefan <Stefan.Goeman@siemens.atea.be>
Subject: Re: data origin authentication
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Tue, 07 May 2002 11:53:31 -0400
cc: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
In-Reply-To: Your message of "Tue, 07 May 2002 16:29:53 +0200." <E76F715C0429D5118F2100508BB9EDEE036FE96B@hrtades7.atea.be>
Reply-to: sommerfeld@east.sun.com
Sender: owner-ipsec@lists.tislabs.com

> I have been reading more carefully through the rfc (not through the draft
> yet). I is correct to say
> that if ESP is used in transport mode, there is no data origin
> authentication? 

No.  It's underspecified.

> I would say this because the IP header, containing the source IP
> address is not authenticated.  Or am I missing something here?

Implementations often allow a specific source address to be bound to
the SA in transport mode -- if the packet's source doesn't match the
SA source, the packet is dropped.  (PF_KEY provides exactly this
mechanism).

memcmp() with a known quantity is a stronger integrity check than
hmac-sha1. ;-)

						- Bill

References:
- data origin authentication
  - From: Goeman Stefan <Stefan.Goeman@siemens.atea.be>

Prev by Date: Re: data origin authentication
Next by Date: RE: data origin authentication
Prev by thread: Re: data origin authentication
Next by thread: Re: data origin authentication
Index(es):
- Date
- Thread