[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Naming 2: untrustable hosts



On Tue, 14 Feb 1995 smb@research.att.com wrote:

> Date: Tue, 14 Feb 95 09:40:13 EST
> From: smb@research.att.com
> To: ipsec@ans.net
> The IPv6 specs say that the potential for authentication is mandatory.
> The draft API spec (in a concept I didn't challenge...) stated that
> both services and systems could impose a mandatory minimum security
> level.  Presumably, these services or hosts would not talk to a peer if
> it could not negotiate a key with that level of security.  What happens
> with inherently untrustable machines, such as shared PCs in a
> university lab?  Are these machines to be barred from some class of
> Internet services?

The way most people view this as happening is that the person using the
machine ideally pluggs in their smart card which has in it the key for
person.lab.course.university.edu or something and this key is used
to dynamically update the DNS so the A (&AAAA) records for that name
now point to the machine.  The PC then requests that the inverse DNS
be changed and some router or gateway has a key that lets it do that
dynamic update based on this request and the fact that it can see
that the forward listing has already been changed.

> One reason for demanding authentication, even at the coarse granularity
> of a host, is so that you know who should be held accountable.  It
> seems, then, that such machines could have a key if the key was bound
> to the person using it at the time.  In other words, a Kerberos-like
> (or more precisely, an Athena-like, since it fits the Athena philosophy
> of whom you authenticate) name of ``user@domain'' might be used here,
> whereas a timesharing machine or a PC used by just one person would
> have a key bound to ``domain'' or maybe ``@domain''.  And this in turn
> imposes some requirements on the forms of names that the key management
> protocol must deal with.
> 
> I realize that one objection to this proposal is the notion that that
> user-granularity security is (to quote the response to a previous message
> of mine) ``an explicit non-goal''.  But I don't see any other way to
> handle inherently untrustable machines.

Have I missed something?  Security granularity at less than the host level
was always an IPv6 requirement.  I'm not saying that the availability of
granularity down to the user account was ever made a goal for ipsec, but 
when in the world was it ever decided to be avoided in the ipsec effort???

> 		--Steve Bellovin

Donald

=====================================================================
Donald E. Eastlake 3rd      1-508-287-4877(tel)     dee@cybercash.com
   318 Acton Street         1-508-371-7148(fax)     dee@world.std.com
Carlisle, MA 01741 USA


References: