[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: An architectural draft

To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Subject: Re: An architectural draft
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Wed, 28 May 2003 16:48:15 +0200
Cc: multi6@ops.ietf.org
In-reply-to: <200305281418.XAA13444@necom830.hpcl.titech.ac.jp>

On woensdag, mei 28, 2003, at 16:19 Europe/Amsterdam, Masataka Ohta wrote:

AH is
forbidden because its functionality overridden by ESP and its SPI is
not located at port number part.

If my understanding is correct, integrity check including IP header
cannot be done with ESP.  AH can do that.

First, which part of IP header, do you want to check the integrity?

The source address is something I'd really like to check.

When I get around to it, I plan to write a draft about how ISPs can do proxy IPsec AH processing for their customers to eliminate denial of service traffic.

Once a host receives a packet and delivers it to some application
using SPI (which is why SPI is equivalent to port information), no
information in IP header is no longer necessary and it is too
late to check integrity of information in IP header.

That's why we do AH first and reject the packet if it doesn't check out. Applications are not involved in IPsec, that's the whole point. Otherwise you could just as well use TLS.

Follow-Ups:
- Re: An architectural draft
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
- Re: An architectural draft
  - From: Eliot Lear <lear@cisco.com>

References:
- Re: An architectural draft
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>

Prev by Date: Re: An architectural draft
Next by Date: RE: An architectural draft
Previous by thread: Re: An architectural draft
Next by thread: Re: An architectural draft
Index(es):
- Date
- Thread