Date: Wed, 28 Apr 2004 12:31:15 -0400 From: Greg Troxel <gdt@ir.bbn.com> To: "Crist J. Clark" <cjc@FreeBSD.org> Cc: Dan Langille <dan@langille.org> Subject: Re: IPsec - got ESP going, but not AH Message-ID: <20040428163115.6F0611F69@fnord.ir.bbn.com> In-Reply-To: Message from "Crist J. Clark" <cristjc@comcast.net> <20040427184422.GA88369@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Date: Tue, 27 Apr 2004 11:44:22 -0700 > From: "Crist J. Clark" <cristjc@comcast.net> > To: Greg Troxel <gdt@ir.bbn.com> > Cc: Dan Langille <dan@langille.org>, freebsd-security@FreeBSD.org > Subject: Re: IPsec - got ESP going, but not AH > Message-ID: <20040427184422.GA88369@blossom.cjclark.org> > Reply-To: "Crist J. Clark" <cjc@FreeBSD.org> > References: <40885ECF.22456.1C68F42E@localhost> <rmismeuucl4.fsf@fnord.ir.bbn.com> > > On Fri, Apr 23, 2004 at 08:02:15AM -0400, Greg Troxel wrote: > > While this should probably work, it's more straightforward to use ESP > > with integrity protection. That is, use a -A hmac-sha1 argument also > > to ESP. (hmac-md5 is probably still fine, but sha1 goes better > > strength-wise with rijndael-cbc.) > > > > I believe that in tunnel mode AH and ESP integrity are essentially > > identical - but read RFC2401 and rfc2401bis (i-d from ipsec wg) if you > > really want to understand. > > Not true. ESP integrity does not cover the IP header, only the ESP > payload. Look at the diagrams in section 3.1 of RFC2406. I was a bit off here. AH in tunnel mode does authenticate the outer IP header. But since this header is removed at tunnel egress, and presumably checked against the SPD or SAD entry, an ICV over the outer header fields has little additional value once one checks an ICV over the packet and determines that the packet came from the other SA endpoint. Whether and how carefully KAME-derived implementations check tunnel headers against SPD/SAD is another story - I have not investigated this. > > In transport mode, AH protects parts of > > the original (and only) IP header. > > Not true. AH protects the entire datagram, including payload. Again > hop down to section 3.1 of RFC2402 for that RFC-ASCII art we all love > so much. Sorry - I was being too terse. I meant that it protects part of the IP header in addition to the payload (which is also protected by ESP). Really the point I was trying to make (and did so badly) was that for many uses, ESP with integrity is perfectly adequate and is simpler than AH and ESP together.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040428163115.6F0611F69>