Re: AH (without ESP) on a secure gateway

Ran Atkinson <rja@cisco.com> Wed, 04 December 1996 18:43 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id NAA27241 for ipsec-outgoing; Wed, 4 Dec 1996 13:43:11 -0500 (EST)
Date: Wed, 04 Dec 1996 10:45:09 -0800
From: Ran Atkinson <rja@cisco.com>
Message-Id: <199612041845.KAA01568@cornpuffs.cisco.com>
To: ben@ascend.com
Subject: Re: AH (without ESP) on a secure gateway
In-Reply-To: <199611262230.RAA27739@carp.morningstar.com>
References: <199611261929.OAA01715@thunk.orchard.medford.ma.us>
Organization: cisco Systems
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

Earlier, someone (possibly Bill Sommerfeld) wrote:
>> The "policy engines" on each end need to be sophisticated enough to
>> deal with things like this.  In particular, if ip-address based access
>> controls are in use, then the policy engine should probably do
>> consistency checks between the SPI and the source address..

Absolutely true.  Such checks are important to prevent certain kinds of
attacks and have ALWAYS been present in the NRL implementation.

In article <199611262230.RAA27739@carp.morningstar.com> Ben wrote:
>I believe the RFC states that the Security Association(SA) is
>chosen using only the destination address and the SPI.  

Incorrect.  It says that the receiver is capable of locating the SA for the
received packet by using SPI and Destination Address.

Ran
rja@cisco.com