Re: [IPsec] WESP - Roadmap Ahead

[Stephen Kent <kent@bbn.com>]

At 12:11 PM +0100 11/25/09, Daniel Migault wrote:
>Hi Manav,
>
>I agree that for an already negotiated SA, the SPD lookup detects IP 
>source address spoofing. So in that case ESP detects the address 
>spoofing during the SPD check whereas AH would detect it while 
>checking the signature check.
>
>However SAD lookup is done with the longest match rule, and section 
>4.1 of RFC4301 specifies :
>       "3. Search the SAD for a match on only SPI if the receiver has
>          chosen to maintain a single SPI space for AH and ESP, and on
>
>          both SPI and protocol, otherwise."
>
>This seems to enable a ESP or AH datagram with spoofed IP addresses 
>to match the SAD and SPD.

I'm confused at this juncture.  The 4301 inbound processing algorithm 
(section 5.2 in RFC 4310) refers to SAD entries for processing 
IPsec-protected packets; the SPD inbound cache (SPD-I) is used only 
for bypass and discard traffic. So there should be no reference to 
the SPD in the sentence immediately above, right?

Also, you should remind folks that this rule applies only to 
multicast SAs. That's relevant to the OSPFv3 discussion we are 
having, but it seems inconsistent with the comment below of a 
middlebox that changes addresses, i.e., does one really expect to 
encounter a NAT on a link between two routers running OSPF?

I am not criticizing your later comments about AH vs. ESP 
applicability in mobile environments, just trying to keep the various 
arguments straight.

Steve