Re: IPsec - got ESP going, but not AH

From: Crist J. Clark (cristjc_at_comcast.net)
Date: 04/27/04

  • Next message: Dan Langille: "IPsec works, but racoon/IKE does not" 
    Date: Tue, 27 Apr 2004 11:44:22 -0700
To: Greg Troxel <gdt@ir.bbn.com>

    On Fri, Apr 23, 2004 at 08:02:15AM -0400, Greg Troxel wrote:
    > While this should probably work, it's more straightforward to use ESP
    > with integrity protection. That is, use a -A hmac-sha1 argument also
    > to ESP. (hmac-md5 is probably still fine, but sha1 goes better
    > strength-wise with rijndael-cbc.)
    >
    > I believe that in tunnel mode AH and ESP integrity are essentially
    > identical - but read RFC2401 and rfc2401bis (i-d from ipsec wg) if you
    > really want to understand.

    Not true. ESP integrity does not cover the IP header, only the ESP
    payload. Look at the diagrams in section 3.1 of RFC2406.

    > In transport mode, AH protects parts of
    > the original (and only) IP header.

    Not true. AH protects the entire datagram, including payload. Again
    hop down to section 3.1 of RFC2402 for that RFC-ASCII art we all love
    so much.

    As for the original problem. I've seen AH problems before. Follow the
    "Single IP host and IPsec tunnel mode experience" thread from -hackers
    from last year about this time. 

    -- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Dan Langille: "IPsec works, but racoon/IKE does not"