[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Some queries regarding IP security

To: ipsec@xxxxxxxxxxxxxxxxx
Subject: Some queries regarding IP security
From: shganguly@xxxxxxxxxxx
Date: Fri, 12 Nov 1999 11:43:37 +0530
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx



Hi,

I have a couple of issues to be clarified regarding IPsec.

First regarding ESP protocol. ESP provides authentication as well
as confidentiality. The authentication provided by ESP is not as
effective as the one provided by AH. It does not authenticate the
IP header, both in transport as well as tunnel (in tunnel mode the new
IP header) mode. So my query is why is the feature of authentication
provided for in ESP, when it is there in AH which is also better than the
one in ESP?

Secondly, this is regarding IPsec inbound packet processing. During
inbound packet processing, the receiver first matches the packet to its
corresponding SAs, does IPsec processing, after this it refers to the SPD
to verify whether the ordering of the SAs, the SAs itself that were applied,
were correct. If the ordering does not match the packet is rejected. My
question is, what is the purpose for the last step. Once the
packet has matched the SAs and has undergone IPsec processing
successfully what is need to again check from the SPD whether the
policy applied is correct. And since SPDs can be big this will lead to
some extra processing overhead? ( ref RFC 2401, Page -33, Section 5.2.1,
Step 4)

-Shamik

Follow-Ups:
- Re: Some queries regarding IP security
  - From: Bill Sommerfeld
- Re: Some queries regarding IP security
  - From: Paul Koning

Prev by Date: Deflate Chip vendors
Next by Date: Re: Some queries regarding IP security
Previous by thread: Deflate Chip vendors
Next by thread: Re: Some queries regarding IP security
Index(es):
- Date
- Thread