At 12:11 PM +0100 11/25/09, Daniel Migault wrote:
Hi Manav,
I agree that for an already negotiated SA, the SPD lookup detects IP
source address spoofing. So in that case ESP detects the address
spoofing during the SPD check whereas AH would detect it while
checking the signature check.
However SAD lookup is done with the longest match rule, and section
4.1 of RFC4301 specifies :
"3. Search the SAD for a match on only SPI if the receiver has
chosen to maintain a single SPI space for AH and ESP, and on
both SPI and protocol, otherwise."
This seems to enable a ESP or AH datagram with spoofed IP addresses
to match the SAD and SPD.
I'm confused at this juncture. The 4301 inbound processing algorithm
(section 5.2 in RFC 4310) refers to SAD entries for processing
IPsec-protected packets; the SPD inbound cache (SPD-I) is used only
for bypass and discard traffic. So there should be no reference to
the SPD in the sentence immediately above, right?
Also, you should remind folks that this rule applies only to
multicast SAs. That's relevant to the OSPFv3 discussion we are
having, but it seems inconsistent with the comment below of a
middlebox that changes addresses, i.e., does one really expect to
encounter a NAT on a link between two routers running OSPF?
I am not criticizing your later comments about AH vs. ESP
applicability in mobile environments, just trying to keep the various
arguments straight.
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
