From: Menga, Justin (Justin.Menga@xxxxxxxxxx)
Date: Thu Mar 07 2002 - 22:16:54 GMT-3
Hi Brian,
IPSec is most definitely a connection-oriented protocol - IPSec uses
sequence numbers to protect against replay attacks, and also must
refresh keys - each of these attributes forms a connection (or some form
of state) between each party. The connection in IPSec parlance is
called a security association. A security association (SA) defines a
set of proxy endpoints (the source and destination of the original
data). These endpoints can be expressed in terms of a
source/destination IP address pari, a source/destination IP subnet pair,
and based upon even Layer 4 information. Each SA uses unique secret key
for encryption - other SA's use there own key.
The Next Header field basically verifies the payload packet - this is
used by IPSec process to identify which security association the payload
is a part of. A security association can be based upon Layer 3 and 4
protocol parameters, hence fields in the Next Header must reflect these.
HTH
Justin Menga
-----Original Message-----
From: Brian Lodwick [mailto:xpranax@hotmail.com]
Sent: Friday, 8 March 2002 6:26 a.m.
To: ccielab@groupstudy.com
Subject: IPsec transport control
I have been trying to figure out something that would seem simple, but
has
proven to be quite difficult.
Is an IPsec packet connection-oriented or connectionless when using ESP?
I have found some good information on the breakdown of the ESP header
format
from the latest IETF draft, and I think I have the answer, but I wanted
to
run it by some of the security whizzes out there.
I understood that the "next header" field of the ESP header will note
the
protocol number and therefore will indicate the service type. Below is
an
excerpt from the IETF draft:
2.6 Next Header
The Next Header is a mandatory, 8-bit field that identifies the type
of data contained in the Payload Data field, e.g., an IPv4 or IPv6
packet, or an upper layer header and data. The value of this field
is chosen from the set of IP Protocol Numbers defined on the web page
of the IANA, e.g., a value of 4 indicates IPv4, a value of 41
indicates IPv6 and a value of 6 indicates TCP.
I have to assume the router (tunneling device) is to read the old IP
packet
information and then populate this "next header" field with that same
information, and then treat the data stream accordingly? It doesn't say
that
exactly though which is confusing. If this is correct I would guess the
answer to my question would be dependant upon the original IP packet
information. i.e. if the original packet was using IP protocol number 6
the
ESP packet "next header" field would populate with a 6 and the router
would
treat this as a connection-oriented data flow.
Any comments?
>>>Brian
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:56 GMT-3