Date: Tue, 27 Apr 2004 11:44:22 -0700 From: "Crist J. Clark" <cristjc@comcast.net> To: Greg Troxel <gdt@ir.bbn.com> Cc: Dan Langille <dan@langille.org> Subject: Re: IPsec - got ESP going, but not AH Message-ID: <20040427184422.GA88369@blossom.cjclark.org> In-Reply-To: <rmismeuucl4.fsf@fnord.ir.bbn.com> References: <40885ECF.22456.1C68F42E@localhost> <rmismeuucl4.fsf@fnord.ir.bbn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 23, 2004 at 08:02:15AM -0400, Greg Troxel wrote:
> While this should probably work, it's more straightforward to use ESP
> with integrity protection. That is, use a -A hmac-sha1 argument also
> to ESP. (hmac-md5 is probably still fine, but sha1 goes better
> strength-wise with rijndael-cbc.)
>
> I believe that in tunnel mode AH and ESP integrity are essentially
> identical - but read RFC2401 and rfc2401bis (i-d from ipsec wg) if you
> really want to understand.
Not true. ESP integrity does not cover the IP header, only the ESP
payload. Look at the diagrams in section 3.1 of RFC2406.
> In transport mode, AH protects parts of
> the original (and only) IP header.
Not true. AH protects the entire datagram, including payload. Again
hop down to section 3.1 of RFC2402 for that RFC-ASCII art we all love
so much.
As for the original problem. I've seen AH problems before. Follow the
"Single IP host and IPsec tunnel mode experience" thread from -hackers
from last year about this time.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040427184422.GA88369>