[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: data origin authentication

To: Goeman Stefan <Stefan.Goeman@siemens.atea.be>
Subject: RE: data origin authentication
From: Henry Spencer <henry@spsystems.net>
Date: Tue, 7 May 2002 14:13:46 -0400 (EDT)
cc: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
In-Reply-To: <E76F715C0429D5118F2100508BB9EDEE036FE96C@hrtades7.atea.be>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 7 May 2002, Goeman Stefan wrote:
> > Usually, one cares about authenticating the contents, not the header. 
> 
> If you don't really need to authenticate the header to obtain data origin
> authentication, why does AH (rfc 2402) authenticates also the IP header,
> and not only the IP payload?

Well, you'll note that I said "usually".  There are situations where you
would like to be able to trust certain items in the header.  For example,
in multicast applications, the source address may not be uniquely
determined by the SA used, and might be significant to the user-level code.

That said, there are many people who think that this feature of AH was
a design mistake, and that the entire AH protocol is now superfluous and
should be removed from IPsec and reclassified as Historic.  (There are
other people who disagree.)

                                                          Henry Spencer
                                                       henry@spsystems.net

References:
- RE: data origin authentication
  - From: Goeman Stefan <Stefan.Goeman@siemens.atea.be>

Prev by Date: Re: data origin authentication
Next by Date: RE: data origin authentication
Prev by thread: Re: data origin authentication
Next by thread: RE: data origin authentication
Index(es):
- Date
- Thread