[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key management




Charlie Watt says:
> > There was no suggestion here that network layer information pass
> > process related security information. There was only a suggestion that
> > transports should be able to specify that a particular SAID should be
> > used for a particular packet -- i.e. that it should be possible to
> > specify a SAID be used for a particular socket. There was no stated
> > requirement that a particular application need use this capacity.
> > 
> That's fine.
> 
> Forgive the misunderstanding, I misread your requirement:
> 
> > 1) They lack a specified method for managing separate keys for
> >    separate users; this is an articulated requirement for the IPv6
> >    case according to the IPng Directorate.

That was a reference to the key management layer, not to the IPSP
stuff. They are separate.

I realize that I am perhaps being more confusing rather than less
confusing here but the general point is this -- we have to be able to
deal with the per-user situation, but the intent is not to alter IPSP
but to indicate that hooks are needed in IPSP implementations to deal
with this. The intent is to handle the identification of the users at
what Phil Karn calls the "certificate management" layer. IKMPs that
can't deal with certificates for users but assume that you must have
only per host keys, or IPSP implementations that can't deal with the
idea that multiple SAIDs might be in use between systems and might be
set on a per socket basis, make it impossible to do this and are thus
a problem.

However, the IPSP layer knows nothing about users -- it only groks
SAIDs. There is a requirement on IPSP (or rather, on the v6 equivalent
which we ought to follow as well) that implementations must provide
ways to let different users use different SAIDs, but there is no
requirement that the layer know anything about these users.

My note was that some key management systems are thinking in terms of
managing SAIDs on the machine level only -- which is bad. Hooks are
needed to deal with user based keying. Also, some IKMPs are also
thinking in terms of authenticating machines to machines only, and not
in terms of being able to deal with multiple users, and this, too, is
bad.

> you wished to select keys based upon user identity,

I do, but that is above the IPSP layer, not at it.

> and to
> use that ability to provide application layer I&A.

Indeed, I wish to, but that is not to be handled in IPSP beyond the
fact that IPSP gives you the ability to know which SAID was used with
which incoming packet and to select which SAID should be used with
an outgoing one.

> 	- application layer support needs to be kept out of a network layer 
> 	  security protocol.
> 
> 	- the two need to be coordinated or we will wind up with a big mess.

I completely agree.

Perry


References: