[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC requirements

To: ipsec@ans.net
Subject: Re: IPSEC requirements
From: "William Allen Simpson" <bill.simpson@um.cc.umich.edu>
Date: Sun, 4 Sep 94 15:55:39 GMT
Reply-To: bsimpson@morningstar.com

Well, it seems obvious to me that Marcus has expanded the definition of
"firewalls" far beyond the usual term.

> From: Marcus J Ranum <mjr@tis.com>
>       Firewall -- a system or combination of systems that
> enforces a trust boundary at the perimeter of an isolated
> network. This may be application level *or* IP level.
> ...
> I think of a virtual network
> perimeter of consisting of *HOSTS* *AND* their users.
>
In other words, a machine which has a login or FTP prompt (authenticates
the user at the application level) is a "firewall".

Please call it something else.  Most of us don't mean this when we say
"firewall".  A firewall is an IP level concept.  Even peeking into the
IP Protocol field is still an IP level concept.

You use PPP as an example.  We in that segment of the industry don't
call these devices "firewalls" either.  We call them Network Access
Servers.

Authenticating to a NAS does not grant you other trusted accesses, such
as automatic access to other machines in the net (although there is a
fellow from Cisco who proposed that recently).  All it does is determine
whether you are allowed access through that NAS.  Simple, clean.


> 	Host-level membership in the VNP is not a big deal,
> since you're implicitly trusting the host and its users,
> since you trust the administration of that host.

Agreed.

> The problem
> that I think is going to require some really careful thinking
> about is if we try to design a mechanism so that an individual
> remote *user* can gain access to the VNP without being on a
> host that is a member the VNP.

That is _way_ outside what we are trying to do.

> 	Where I get confused is whether one of the objectives
> of IPSEC is to permit individual user membership in the VNP.

It is not.

> That was what prompted my remarks about authentication being
> best at the application layer. If I'm at a remote site, on
> a trusted host that's part of my VNP, then of course, I won't
> have any need to do anything especially fancy. If, however,
> I am at a remote site, on an untrusted host, is it the case
> that IPSEC doesn't help me at all?
>
It does not.

> Succinctly put, I
> don't think that network layer access control measures work
> as well as application layer access control measures if the
> remote member is an untrusted host. I'm not sure that application
> layer approaches work *either*.
>
Of course, it doesn't work.  If you don't trust the host, then all the
authentication has to be done _outside_ the host.  If you are doing it
offline on a calculator, then _you're_ the trusted host.  Why waste the
time?  Just connect your trusted host directly.

This goes with someone along the way commenting that clock based
chellenges are bad, because the attacker could change the clock and get
the answers to later challenges.  This is (IMnsHO) pretty silly, since
if they control your clock, they probably control everything else, too.


> 	Your PPP node is then part of your VNP, even though
> you're not encrypting/authenticating your traffic. So your
> firewall is trusting your PPP node. What do you do if you
> are logged onto an *untrusted* outside node?? Presumably when
> you are, then you have to do something more elaborate to get
> through your firewall, no?
>
HUH?  How could I be "logged onto an *untrusted* outside node"?  This is
self-contradictory.

If I am logged in, I must have authenticated.  If I can authenticate,
the node must be trusted.  Otherwise, it wouldn't have my authentication
information.


> >And why wouldn't I be using my own trusted laptop?
>
> 	If all you're trying to do is build bigger,
> better firewalls, then definitely, there's no reason
> not to use your own trusted laptop. :) You're not making
> the firewall go away -- you're just inventing a magical
> way of moving your laptop (virtually) behind the firewall.
>
Again, this makes no sense to me.  Using Mobile-IP or some such
mechanism to authenticate myself has no relation to "firewalls".
The Home Agent is not a "firewall".  It is a "router".

The authentication used is the same needed for _any_ router to exchange
routing updates with another router.  We hope to use IP-SEC for that,
since it is an IP level node-node activity.

Just as we don't call routing forwarders "gateways" anymore, because the
term was taken by application level, please don't use the term
"firewall" for authentication at any level.  Firewalls do not do
authentication.

I don't grok that speak.

Bill.Simpson@um.cc.umich.edu

Follow-Ups:

Re: IPSEC requirements

From: Masataka Ohta <mohta@necom830.cc.titech.ac.jp>

Prev by Date: Re: IPSEC requirements
Next by Date: Re: IPSEC requirements
Prev by thread: Re: IPSEC requirements
Next by thread: Re: IPSEC requirements
Index(es):
- Main
- Thread