[VPN] Is IP address spoofing possible with ESP transport mode?
Stephen J. Bevan
stephen at dino.dnsalias.com
Tue Feb 8 02:05:41 EST 2005
Son Phan writes:
[snip]
> Question:
[snip]
> -There is a source address field in SA. Is it mandatory to check
> this value against the source IP address to protect the above case?
In general for transport mode the packet's source address must match
the SA selector value for the SA indicated by the packet's SPI value.
See See RFC 2401 section 5.2.1 step 2 for the gory details and
exceptions.
> I have some doubt about it as it can be wildcast in many cases.
>
> -Is there any measure to protect the case described here?
Your scenario left out how Bob's SA was created (manually, via IKE,
via some other keying protocol) and what values it contains so I don't
know if there is a specific case or you are interested in or all
variations. Either way, if spoofing is something you want to avoid
then don't use a wildcard or range in an SA. This doesn't mean you
can't have wildcards in any templates that are used to generate an SA,
just not in the SA. See for example RFC 2401 section 4.4.1 which
mentions how a SA with a single source address can result from a SPD
entry with a wildcard address.
More information about the VPN
mailing list