[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[5]: (IPng) More Endpoint Attributes

On Mar 17, 12:48, Dean D. Throop wrote:

% I'm getting confused here.  I guess I don't understand the association
% model.  The "IPv6 Security Architecture" in section 5.3 sez " The
% Security Association Identifiers (SAIDs) used in the IPv6 security
% mechanisms are receiver-oriented, making them well suited for use in
% IP multicast."

  An SAID is NOT (repeat NOT) comparable to an IPSO label.  An SAID is
just an opaque identifier that is used (along with the Destination
Address) to help locate the correct "Security Association".  Examining
an SAID will NOT, in the absence of being a party to the particular
Security Association, tell anyone the sensitivity level of that
Security Association or of that packet.  This is a _feature_ because
an adversary cannot use the SAID to immediately ascertain which
packets are high-value targets.

% I'm trying to figure out what to put in a packet to send it for some
% hypothetical example.  Lets assume the first hop is a router that
% doesn't know anything about security; it just picks the packet up from
% this LAN and moves it to another LAN.  The second hop is a security
% aware router and I guess it knows about the SAID and enforces whether
% the packet is allowed (or directs the path of the packet depending on
% the packet contents).  Eventually the packet ends up at the other host
% I want to talk with.

% What is the receiver in this case?
%	is it the local router that doesn't know about security,


%	is the security knowledgeable router, or


%	is it final destination?


	The "receiver" always equates to the entity (entities in the
case of multicast) addressed by the Destination Address of the packet.
We use the term "receiver" because it is the convention when talking
about multicast technologies.  Deering's IP Multicast is
"receiver-oriented" while other technologies (which are NOT used with
IP) are "sender-oriented".  Please see Deering's RFC on IP
Multicasting (RFC-1112 ???) for a better explanation of how
multicasting works in the Internet.

	It is possible that neither end system actually implements
security features.  In this case, security might be provided between
some links via encrypting gateways that operate on behalf of systems
behind those gateways.  Such gateways might be encrypting routers,
bulk IP encryptors, and/or encrypting firewalls.  The packet's
Destination Address is still used in combination with the SAID to
determine the Security Association, even though the destination system
is not directly participating and is instead represented by its proxy
encrypting gateway.

  NOTE: When encrypting gateways are in use to encrypt traffic
originating on another system, host-to-host keying will generally be
the only choice because user-to-user keying is not practical when the
system performing the encryption does not dependably know which user
is originating the traffic.  I believe the current language makes this
keying issue of intermediate encryption reasonably clear.  If the
doesn't seem clear, please send me email and tell me which bits are

% If the receiver is the intermediate security aware router, how does
% the sender figure out what SAID that receiver wants?  I guess I'm
% assuming the IPv4 model where all the sender knows is the next hop.
% Maybe there are some IPv6 mechanisms I don't know about.

  The Sender knows which Destination Address it is putting into the
packet.  The Security Association is determinable by the Sender by
examining the sending userid, the Destination Address, and possibly
additional information (e.g. process or socket sensitivity level in
the case of a CMW).

  Steve Kent is entirely correct that, unless the router is a part of
the particular Security Association in use, the router cannot know the
sensitivity level of the session and hence cannot perform any
Mandatory-Access-Control (MAC) filtering.  Such MAC filtering is no
longer important when real encryption (e.g. Type 1) is being used for
traffic between Source and Destination.  That MAC filtering at routers
is being used at present for IPv4 traffic in order to reduce risk of
compromise since users don't have universally available IP encryption.

  If IPSO had been renamed the "IP Security Label Option" it might not
be as confusing now.  Neither IPSO nor CIPSO provide security (security
== confidentiality, authentication, integrity).  Both IPSO and CIPSO
provide unauthenticated sensitivity labels to packets.  As Steve Bellovin
has recently noted, IPSO and CIPSO labelling have a very serious problem
in that it tells the adversary which packets are most important and hence
are worth attacking (via passive eavesdropping, cryptanalysis, or what
have you).