Date: Fri, 18 Oct 2002 13:16:28 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: Matthew Zahorik <matt@hottub.org>, freebsd-net@FreeBSD.ORG Subject: Re: IPSEC/NAT issues Message-ID: <3DB06C1C.8070502@tenebras.com> References: <20021018002729.T66900-100000@mail.allcaps.org> <Pine.GSO.4.40.0210180628271.5762-100000@hottub> <20021018182522.GC45449@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Crist J. Clark wrote: > ...The current ESP standard has its own header > authentification mechanism. To verify end-to-end header integrity, you > need only use ESP with this option turned on (excuse me if I don't go > to the RFC to remind myself of the formal name of the option). I just happened to be looking at it, so... RFC 2406 IP Encapsulating Security Payload (ESP) ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. 2.7 Authentication Data The Authentication Data is a variable-length field containing an Integrity Check Value (ICV) computed over the ESP packet minus the Authentication Data. The length of the field is specified by the authentication function selected. The Authentication Data field is optional, and is included only if the authentication service has been selected for the SA in question. The authentication algorithm specification MUST specify the length of the ICV and the comparison rules and processing steps for validation. BEFORE APPLYING ESP ---------------------------- IPv4 |orig IP hdr | | | |(any options)| TCP | Data | ---------------------------- AFTER APPLYING ESP ------------------------------------------------- IPv4 |orig IP hdr | ESP | | | ESP | ESP| |(any options)| Hdr | TCP | Data | Trailer |Auth| ------------------------------------------------- |<----- encrypted ---->| |<------ authenticated ----->| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DB06C1C.8070502>