Cryptography Reference
In-Depth Information
external hosts and a security gateway, or between security gateways. In this
fashion, hosts do not need to execute any enciphering, so key distribution is
made easier, since fewer keys are required. From a security standpoint, this
mode is valuable since it thwarts
tra
A
c analysis
.
8.11
Last, as with AH, au-
thentication is optional and essentially covers the same features as with AH.
Combining Security Associations
As observed in our earlier examination of SAs, they are one-way relation-
ships. Yet, we may wish to employ more than one of them, in which case we
must set up new SAs for each instance. We already considered and illustrated
one mechanism for combiningthem, namely, iterated tunneling(see Diaram
8.20). Now we look at the other method of combiningSAs.
Transport Adjacency
Transport adjacency
(see Diagram 8.23) pertains to the mechanism where
multiple transport SAs are applied to the same IP packet (without usingtunnel-
ingSAs). Both AH and ESP IP packets may be combined by this methodology.
In this case, the IP packet is processed
only
at its target destination.
The use of either of the methods: iterated tunnelingor transport adjacency,
is called
security association bundling
(SA bundling).
Diagram 8.23 Transport Adjacency
✞
SA-1
(AH Transport)
✝
✆
Security
Gateway A
Security
Gateway B
Host
A
Host
B
Internet
↔
↔
↔
↔
✞
SA-2
(ESP Transport)
✝
✆
Transport adjacency may also be used to bundle SAs with, for instance,
the inner one beingan ESP SA and the outer one beingan AH SA, thereby
applyingauthentication after encryption. (We refer the reader to pages 266 and
267 for our discussion of the pros and cons concerningthe order of encryption
vs. authentication.) Enciphering, in this case, is applied to the IP payload, then
AH is applied in transport mode so that authentication is the umbrella for ESP
and the original IP header, extensions included, but mutable fields excluded.
One could simply use a single ESP SA and invoke the authentication option to
8.11
TraIc analysis refers to the scrutiny of frequencies and lengths of enciphered messages,
by an adversary, in an effort to guess the nature of the communication being observed. From
this an opponent could discover the location and identity of communicating entities.
Search WWH ::
Custom Search