[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ICMP use of AH

To: ipsec@ans.net
Subject: ICMP use of AH
From: "William Allen Simpson" <bsimpson@morningstar.com>
Date: Thu, 23 Feb 95 01:21:02 GMT

> From: Danny.Nessett@eng.sun.com (Dan Nessett)
> I didn't quite follow your reply. Specifically :
> >    For that particular case (intermediate router sending an ICMP
> >  message and desiring to authenticate the ICMP message back to the
> >  sender), if a Security Association does not exist the router
> >  could sign it using its private key that is associated with its
>                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >  Eastlake-Kaufman signed public key available from the DNS and
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >  an RSA signature.  This scales as well as the DNS and hence
> >  as well as the Internet as a whole.
>
> Doesn't this introduce a dependency of the routing system on DNS?

No, it introduces a dependency of some ICMP security on DNS.  This is a
matter for later elucidation in the ICMP security draft which is
currently being written.  Ran was simply trying to help point you in the
right direction, without being too specific at this time.


> That is,
> aren't you assuming that all routers will have signed certificates in the
> DNS?

No, he is assuming that the _subset_ of routers which provide
authenticated ICMP messages -- without having established a security
association --  have a DNS signed certificate.  That is certainly a
possibility, since Eastlake-Kaufman propose such DNS certificates.


> If so, how do you bring up a routing system without having DNS on-line
> to begin with? Do you bring it up unsecure and then secure it? Does this
> mean you can't secure it without all routers having DNS certificates?
>
I believe these statements have to do with dynamic auto-configuration of
routers.  Since even auto-configuration of hosts is a matter of great
debate, and outside the scope of this WG, perhaps we could dispense with
the non-sequitors.


> In addition I think there are a number of proposals on the table that assume
> an IPv4 key distribution mechanism based on signed Diffie-Hellman certificates.

No, only one: SKIP.  Have you read Photuris?

Bill.Simpson@um.cc.umich.edu

Prev by Date: "in-band" is wrong idea/terminology
Next by Date: SKIP re-keying not enough
Prev by thread: Re: "in-band" is wrong idea/terminology
Next by thread: SKIP re-keying not enough
Index(es):
- Main
- Thread