IETF Logo Mail Archive

RE: data origin authentication

Henry Spencer <henry@spsystems.net> Tue, 07 May 2002 18:46 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g47IkkL07064; Tue, 7 May 2002 11:46:46 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA10837 Tue, 7 May 2002 14:01:48 -0400 (EDT)
Date: Tue, 07 May 2002 14:13:46 -0400
From: Henry Spencer <henry@spsystems.net>
To: Goeman Stefan <Stefan.Goeman@siemens.atea.be>
cc: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Subject: RE: data origin authentication
In-Reply-To: <E76F715C0429D5118F2100508BB9EDEE036FE96C@hrtades7.atea.be>
Message-ID: <Pine.BSI.3.91.1020507140527.12325C-100000@spsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

On Tue, 7 May 2002, Goeman Stefan wrote:
> > Usually, one cares about authenticating the contents, not the header. 
> 
> If you don't really need to authenticate the header to obtain data origin
> authentication, why does AH (rfc 2402) authenticates also the IP header,
> and not only the IP payload?

Well, you'll note that I said "usually".  There are situations where you
would like to be able to trust certain items in the header.  For example,
in multicast applications, the source address may not be uniquely
determined by the SA used, and might be significant to the user-level code.

That said, there are many people who think that this feature of AH was
a design mistake, and that the entire AH protocol is now superfluous and
should be removed from IPsec and reclassified as Historic.  (There are
other people who disagree.)

                                                          Henry Spencer
                                                       henry@spsystems.net

v2.39.1 | Report a Bug | By Email | System Status