From owner-freebsd-net Fri Oct 18 13:16:32 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04E2537B401 for ; Fri, 18 Oct 2002 13:16:31 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 0E96D43EA9 for ; Fri, 18 Oct 2002 13:16:30 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 42728 invoked from network); 18 Oct 2002 20:16:28 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 18 Oct 2002 20:16:28 -0000 Message-ID: <3DB06C1C.8070502@tenebras.com> Date: Fri, 18 Oct 2002 13:16:28 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: "Crist J. Clark" Cc: Matthew Zahorik , freebsd-net@FreeBSD.ORG Subject: Re: IPSEC/NAT issues References: <20021018002729.T66900-100000@mail.allcaps.org> <20021018182522.GC45449@blossom.cjclark.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Crist J. Clark wrote: > ...The current ESP standard has its own header > authentification mechanism. To verify end-to-end header integrity, you > need only use ESP with this option turned on (excuse me if I don't go > to the RFC to remind myself of the formal name of the option). I just happened to be looking at it, so... RFC 2406 IP Encapsulating Security Payload (ESP) ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. 2.7 Authentication Data The Authentication Data is a variable-length field containing an Integrity Check Value (ICV) computed over the ESP packet minus the Authentication Data. The length of the field is specified by the authentication function selected. The Authentication Data field is optional, and is included only if the authentication service has been selected for the SA in question. The authentication algorithm specification MUST specify the length of the ICV and the comparison rules and processing steps for validation. BEFORE APPLYING ESP ---------------------------- IPv4 |orig IP hdr | | | |(any options)| TCP | Data | ---------------------------- AFTER APPLYING ESP ------------------------------------------------- IPv4 |orig IP hdr | ESP | | | ESP | ESP| |(any options)| Hdr | TCP | Data | Trailer |Auth| ------------------------------------------------- |<----- encrypted ---->| |<------ authenticated ----->| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message