[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Authenticated PDUs

To: ipsec@ans.net
Subject: Authenticated PDUs
From: solo@BBN.COM
Date: Thu, 10 Feb 94 09:52:52 -0500
Cc: solo@BBN.COM


Some recent discussions on the SIPP list triggered some thoughts about
authenticated datagrams.  I believe that we have talked about IPSP as
a general encapsulation service at the network layer which would also
support authenticated network datagrams - making the "ICV" an
authenticator and not encrypting the datagram at all.  (of course,
maybe this is out of scope of the group, in which case, it doesn't
matter).  Anyway,

For encryption services, there is an explicit security association
formed and all the information needed to process security PDUs is
implicit in the SAID.  These parameters are determined during SA
establishment.  (By the way, I've started lobbying to make some of the
information, especially protocol options, explicitly indicated in the
SAID - creating a partial SAID syntax.)

For authenticated PDUs, I'm not sure the same argument holds.  If I am
using the protocol to authenticate information used by intermediate
systems (I believe this is an essential requirement), then I don't
know who the peers will be.  In the case of firewalls, this is
important because it allows the firewall to know with confidence who
the originator of the datagram is.  Consequently, the PDU must carry
sufficient information to allow an arbitrary system to validate the
check.  This is similar to the PEM distinction between encrypted and
signed messages where encrypted messages have per-recipient tokens
while signed messages can be processed by anyone.

I can imagine this working only for asymmetric based authentication
since symmetric, MAC, style schemes require some external management
which mirrors SA establishment.  In order to keep within the
encapsulation paradigm, for authenticated datagrams, I think
we need to define a "global" SAID.  This SAID is used to denote
an authentication algorithm which permits validation by any network
entity and explicitly indicates the algorithm used.

If we follow this path, then along with support for multiparty
associations (multicast, anycast); efficient demultiplexing and
protocol processing, I think we need to discuss the management
of SAID space.

Dave

Prev by Date: Comments on IPSP
Next by Date: Comments on IPSEC work
Prev by thread: Comments on IPSP
Next by thread: Comments on IPSEC work
Index(es):
- Main
- Thread