RE: data origin authentication

[Goeman Stefan <Stefan.Goeman@siemens.atea.be>]

Hello All,

(As you all might guess, I am quite new to this stuff).

See my question(s) below

> -----Original Message-----
> From: Henry Spencer [mailto:henry@spsystems.net]
> Sent: dinsdag 7 mei 2002 17:33
> To: Goeman Stefan
> Cc: 'ipsec@lists.tislabs.com'
> Subject: Re: data origin authentication
> 
> 
> On Tue, 7 May 2002, Goeman Stefan wrote:
> > ...I is correct to say
> > that if ESP is used in transport mode, there is no data origin
> > authentication? I would say this because
> > the IP header, containing the source IP address is not 
> authenticated.
> 
> Not really correct.  Yes, the header may be tampered with... but the
> origin of the *data* (the packet contents) is still certain, 
> because only
> someone knowing the authentication key can generate a packet 
> which will
> pass authentication. 
> 
> The header is just the means by which the data is conveyed to the
> destination.  Usually, one cares about authenticating the 
> contents, not
> the header. 
> 
>                                                           
> Henry Spencer
>                                                        
> henry@spsystems.net
> 

If you don't really need to authenticate the header to obtain data origin
authentication, why does AH (rfc 2402) authenticates also the IP header,
and not only the IP payload?

Anyway, thanks for answering all my (stupid?) questions.


Greetings,

Stefan.