Daniel Migault writes: > I agree that for an already negotiated SA, the SPD lookup detects IP source > address spoofing.
Not quite true, as you point out yourself. > So in that case ESP detects the address spoofing during > the SPD check whereas AH would detect it while checking the signature check. > > However SAD lookup is done with the longest match rule, and section 4.1 of > RFC4301 specifies : > > "3. Search the SAD for a match on only SPI if the receiver has > chosen to maintain a single SPI space for AH and ESP, and on > both SPI and protocol, otherwise." > > > This seems to enable a ESP or AH datagram with spoofed IP addresses to match > the SAD and SPD. Yes, and this is very important to get NAT-T and MOBIKE to work as there the source address might change (either because NAT box rebooted or otherwise forgot the mapping, and gave new IP address for the IPsec connection, or because host moved around using MOBIKE). > If we consider a middleboxe that changes the IP address, > then using ESP will not detect the IP address spoof. On the other hand using > AH the spoofing attack will be detected. Yes. > Thus I would not consider AH as ESP_NULL equivalent, and thus feel AH should > not be removed. Nevertheless, AH has a major drawback which is NAT. For now > we can only hope IPv6 will bring an end-to-end connectivity. At least AH > would take considerable advantage of this statement! To reiterate for others, the major drawback in AH is that it actually detects changes in the source / destination IP addresses, thus it breaks if there is evil attackers (called NATs) in the middle who try to modify source and/or destination addresses... > IMO, rather then removing AH I would see if future use of the Internet make > it "historical" or not. For now it might be too soon to take such a > decision. Furthermore, AH does not cause "problems" with other protocols, > since they can chose not to use it. I agree. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
