Hi Iljitsch, I agree with you. However if you take note of RFC4301 - the IPsec base RFC, the AH has been downgraded to a MAY support. So not all machines will support AH. I agree we can do without checksum, am just trying to fill in when I feel there is some additional information that discussion could gain from.
Thanks, Vishwas On Feb 1, 2008 1:02 AM, Iljitsch van Beijnum <[EMAIL PROTECTED]> wrote: > On 1 feb 2008, at 1:59, Vishwas Manral wrote: > > > For ESP (RFC4303) the ICV does not cover the outer IP header at all > > the mutable field or not. For AH (RFC4302) however the outer IP header > > is covered for the ICV calculation. > > Yes. So if you want to cryptographically protect your header, either > use AH or put the packet into another packet and protect the original > packet with ESP. > > A header checksum will give you none of this because the checksum > algorithm used in IP is so simple I can calculate it in my head (just > 16-bit additions over data that's in the packet). > > Note also that all the important fields in the IP header are included > in the transport layer checksum, which also makes it unnecessary to do > a separate header checksum to protect these fields against bit errors. > > Last but not least, if an attacker can toggle bits in your header, it > really doesn't matter whether you have cryptographically strong means > to detect this, because what you would be doing is dropping the > packet, while any of this toggling would also result in dropping the > packet at some point, all else being equal. (The attacker could also > toggle bits in the data part of the packet so the receiver would > accept bad data, but IPsec AH/ESP or even TLS all provide protection > against that regardless of header checksums.) > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------