Re: data origin authentication

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Goeman" == Goeman Stefan <Stefan.Goeman@siemens.atea.be> writes:
    Goeman> I have been reading more carefully through the rfc (not through
    Goeman> the draft yet). I is correct to say that if ESP is used in
    Goeman> transport mode, there is no data origin authentication? I would
    Goeman> say this because the IP header, containing the source IP address
    Goeman> is not authenticated.  Or am I missing something here?

  The IP address is not authenticated. The IP address is just one expression
of the origin.

  Origin authentication is provided by the relationship to the trust model
that created the SA. And, as Steve Bellovin has pointed out, you could
essentially throw away the origin IP anyway, and use the SA to provide
the actual numerical origin.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPNgJXYqHRg3pndX9AQEgjQP+IxeGbslJ/LbtimynbFMmgmSh2+2zE6rx
KaNSj7svBwx9MtMupbyWHGu1Wdv/w3BntfN+bgSY1f311r7YomvARLO1MPA+jCTM
vFAXjs31DCfX7lOMEuVoYloaS/S8kgYsBF8/rmPEJ/VpU5hXGxBo58UcYS6s+Y1N
/mz0qQZdl/k=
=5Ufi
-----END PGP SIGNATURE-----