Dear all,
I am writing this as I have a question that I've failed to clarify by
other means.
It is commonly stated that the ESP protocol covers all of the
functionality afforded by AH (integrity and authentication) in
addition to confidentiality, with the exception that AH also protects
the parts of the IP header that are nonmutable in transit (the source
and destination fields most notably). This is then used as leverage in
the argument to justify the need of applying two SAs to a single
traffic pattern (i.e. connection): "ESP for authentication, integrity
and confidentiality. AH for protecting the source and IP address". It
should be noted that this only applies to transport mode as the whole
"tunneled" IP packet can be protected by ESP while in tunnel mode.
However, RFC 4301 stipulates that after AH / ESP processing the
addressing information of the packet must be successfully matched with
the traffic pattern of the associated SAD entry. In my eyes, this
would make it impossible for an attacker to alter (most importantly)
the source address of a packet as it would be discarded.
>From page 62, RFC 4301:
...
4. Apply AH or ESP processing as specified, using the SAD entry
selected in step 3a above. Then match the packet against the
inbound selectors identified by the SAD entry to verify that the
received packet is appropriate for the SA via which it was
received.
...
This, if true, would imply that all functionality offered by AH could
be provided by ESP. Is this true? The only "loopholes" I could come up
with is the case of extension headers in IPv6 which are not protected
by ESP, or issues arising in conjunction with multicast.
In any case, I would be very happy if someone could clarify this
question for me.
Sincerely,
Vilhelm Jutvik
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
