From owner-freebsd-security@FreeBSD.ORG Wed Apr 28 09:31:17 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 637FC16A4CE; Wed, 28 Apr 2004 09:31:17 -0700 (PDT) Received: from fnord.ir.bbn.com (fnord.ir.bbn.com [192.1.100.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id B120F43D46; Wed, 28 Apr 2004 09:31:16 -0700 (PDT) (envelope-from gdt@ir.bbn.com) Received: from fnord.ir.bbn.com (localhost [127.0.0.1]) by fnord.ir.bbn.com (Postfix) with ESMTP id 6F0611F69; Wed, 28 Apr 2004 12:31:15 -0400 (EDT) From: Greg Troxel To: "Crist J. Clark" In-Reply-To: Message from "Crist J. Clark" <20040427184422.GA88369@blossom.cjclark.org> Date: Wed, 28 Apr 2004 12:31:15 -0400 Sender: gdt@ir.bbn.com Message-Id: <20040428163115.6F0611F69@fnord.ir.bbn.com> cc: freebsd-security@FreeBSD.org cc: Dan Langille Subject: Re: IPsec - got ESP going, but not AH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Apr 2004 16:31:17 -0000 > Date: Tue, 27 Apr 2004 11:44:22 -0700 > From: "Crist J. Clark" > To: Greg Troxel > Cc: Dan Langille , freebsd-security@FreeBSD.org > Subject: Re: IPsec - got ESP going, but not AH > Message-ID: <20040427184422.GA88369@blossom.cjclark.org> > Reply-To: "Crist J. Clark" > References: <40885ECF.22456.1C68F42E@localhost> > > On Fri, Apr 23, 2004 at 08:02:15AM -0400, Greg Troxel wrote: > > While this should probably work, it's more straightforward to use ESP > > with integrity protection. That is, use a -A hmac-sha1 argument also > > to ESP. (hmac-md5 is probably still fine, but sha1 goes better > > strength-wise with rijndael-cbc.) > > > > I believe that in tunnel mode AH and ESP integrity are essentially > > identical - but read RFC2401 and rfc2401bis (i-d from ipsec wg) if you > > really want to understand. > > Not true. ESP integrity does not cover the IP header, only the ESP > payload. Look at the diagrams in section 3.1 of RFC2406. I was a bit off here. AH in tunnel mode does authenticate the outer IP header. But since this header is removed at tunnel egress, and presumably checked against the SPD or SAD entry, an ICV over the outer header fields has little additional value once one checks an ICV over the packet and determines that the packet came from the other SA endpoint. Whether and how carefully KAME-derived implementations check tunnel headers against SPD/SAD is another story - I have not investigated this. > > In transport mode, AH protects parts of > > the original (and only) IP header. > > Not true. AH protects the entire datagram, including payload. Again > hop down to section 3.1 of RFC2402 for that RFC-ASCII art we all love > so much. Sorry - I was being too terse. I meant that it protects part of the IP header in addition to the payload (which is also protected by ESP). Really the point I was trying to make (and did so badly) was that for many uses, ESP with integrity is perfectly adequate and is simpler than AH and ESP together.