[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: An architectural draft
Ishibashi san;
> >3.3 IPSEC
> >
> > ESP is purely optional and should be implemented as Protocol 50. SPI
> > works as port numbers for resource reservation (if any). AH is
> > forbidden because its functionality overridden by ESP and its SPI is
> > not located at port number part.
>
>
> If my understanding is correct, integrity check including IP header
> cannot be done with ESP. AH can do that.
An interesting point (on how IPSEC sucks).
First, which part of IP header, do you want to check the integrity?
Once a host receives a packet and delivers it to some application
using SPI (which is why SPI is equivalent to port information), no
information in IP header is no longer necessary and it is too
late to check integrity of information in IP header.
Note that, unlike CIP, SIPA does not have IP options which could
have complex and unpredicatable interaction with IPSEC.
Secondely, it is my understanding of IPSEC that, while a mandatory
transform, DES-CBC, does not provide integrity check (involving IP
headers), other transforms can. And, who use DES, these days?
Masataka Ohta