IETF Logo Mail Archive

Re: data origin authentication

Bill Sommerfeld <sommerfeld@east.sun.com> Tue, 07 May 2002 16:22 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g47GMsL00659; Tue, 7 May 2002 09:22:54 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA10239 Tue, 7 May 2002 11:43:45 -0400 (EDT)
Message-Id: <200205071553.g47FrWKw027550@thunk.east.sun.com>
From: Bill Sommerfeld <sommerfeld@east.sun.com>
To: Goeman Stefan <Stefan.Goeman@siemens.atea.be>
cc: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Subject: Re: data origin authentication
In-Reply-To: Your message of "Tue, 07 May 2002 16:29:53 +0200." <E76F715C0429D5118F2100508BB9EDEE036FE96B@hrtades7.atea.be>
Reply-to: sommerfeld@east.sun.com
Date: Tue, 07 May 2002 11:53:31 -0400
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

> I have been reading more carefully through the rfc (not through the draft
> yet). I is correct to say
> that if ESP is used in transport mode, there is no data origin
> authentication? 

No.  It's underspecified.

> I would say this because the IP header, containing the source IP
> address is not authenticated.  Or am I missing something here?

Implementations often allow a specific source address to be bound to
the SA in transport mode -- if the packet's source doesn't match the
SA source, the packet is dropped.  (PF_KEY provides exactly this
mechanism).

memcmp() with a known quantity is a stronger integrity check than
hmac-sha1. ;-)

						- Bill

v2.39.1 | Report a Bug | By Email | System Status