Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 18 Oct 2002 13:16:28 -0700
From:      Michael Sierchio <kudzu@tenebras.com>
To:        "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc:        Matthew Zahorik <matt@hottub.org>, freebsd-net@FreeBSD.ORG
Subject:   Re: IPSEC/NAT issues
Message-ID:  <3DB06C1C.8070502@tenebras.com>
References:  <20021018002729.T66900-100000@mail.allcaps.org> <Pine.GSO.4.40.0210180628271.5762-100000@hottub> <20021018182522.GC45449@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Crist J. Clark wrote:

 > ...The current ESP standard has its own header
> authentification mechanism. To verify end-to-end header integrity, you
> need only use ESP with this option turned on (excuse me if I don't go
> to the RFC to remind myself of the formal name of the option).

I just happened to be looking at it, so...

RFC 2406 	IP Encapsulating Security Payload (ESP)

    ESP is used to provide confidentiality, data origin authentication,
    connectionless integrity, an anti-replay service (a form of partial
    sequence integrity), and limited traffic flow confidentiality.

2.7  Authentication Data

    The Authentication Data is a variable-length field containing an
    Integrity Check Value (ICV) computed over the ESP packet minus the
    Authentication Data.  The length of the field is specified by the
    authentication function selected.  The Authentication Data field is
    optional, and is included only if the authentication service has been
    selected for the SA in question.  The authentication algorithm
    specification MUST specify the length of the ICV and the comparison
    rules and processing steps for validation.

                  BEFORE APPLYING ESP
             ----------------------------
       IPv4  |orig IP hdr  |     |      |
             |(any options)| TCP | Data |
             ----------------------------

                  AFTER APPLYING ESP
             -------------------------------------------------
       IPv4  |orig IP hdr  | ESP |     |      |   ESP   | ESP|
             |(any options)| Hdr | TCP | Data | Trailer |Auth|
             -------------------------------------------------
                                 |<----- encrypted ---->|
                           |<------ authenticated ----->|



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DB06C1C.8070502>