> > > >So what fields does AH protect: > > > >Version, Payload length, Next Header, Source IP and dest IP > > you forgot IPv4 and IPv6 options that have predictable values at the > destination
Lets start with the IPv6 Type 0 Route Header (aka "Source Routing" in v4 parlance), which is a mutable but a predictable extension header. It has been discovered and is widely known that these functionalities can be exploited in order to perform remote network discovery, can be used to bypass firewalls and can be used for DoS attacks. RFC 5095 has more details on this. This has been deprecated and nobody is really using this. Hop-by-Hop Options and Destination Extension Headers These options contain a bit that indicates whether the option might change (unpredictably) during transit. For any option for which contents may change en-route, the entire "Option Data" field must be treated as zero-valued octets when computing or verifying the ICV. The Option Type and Opt Data Len are included in the ICV calculation. All options for which the bit indicates immutability are included in the ICV calculation. If we were to use ESP-NULL instead then there is no way to validate whether the Option Type and Opt Data Len is valid or not till the processing is done at the receiving end. So, what kind of attack can be possibly done by changing these values? What is the real risk involved here? Fragmentation Header Fragmentation occurs after AH processing and the reassembly, before AH processing on the other end. So, there is really no gain there too. Cheers, Manav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
