IETF Logo Mail Archive

Re: data origin authentication

Henry Spencer <henry@spsystems.net> Tue, 07 May 2002 16:04 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g47G4DL29850; Tue, 7 May 2002 09:04:13 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA10157 Tue, 7 May 2002 11:20:37 -0400 (EDT)
Date: Tue, 07 May 2002 11:33:03 -0400
From: Henry Spencer <henry@spsystems.net>
To: Goeman Stefan <Stefan.Goeman@siemens.atea.be>
cc: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Subject: Re: data origin authentication
In-Reply-To: <E76F715C0429D5118F2100508BB9EDEE036FE96B@hrtades7.atea.be>
Message-ID: <Pine.BSI.3.91.1020507112839.10419C-100000@spsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

On Tue, 7 May 2002, Goeman Stefan wrote:
> ...I is correct to say
> that if ESP is used in transport mode, there is no data origin
> authentication? I would say this because
> the IP header, containing the source IP address is not authenticated.

Not really correct.  Yes, the header may be tampered with... but the
origin of the *data* (the packet contents) is still certain, because only
someone knowing the authentication key can generate a packet which will
pass authentication. 

The header is just the means by which the data is conveyed to the
destination.  Usually, one cares about authenticating the contents, not
the header. 

                                                          Henry Spencer
                                                       henry@spsystems.net

v2.39.1 | Report a Bug | By Email | System Status