[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use of UDP ports for Photuris

To: rja@cs.nrl.navy.mil
Subject: Re: Use of UDP ports for Photuris
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Thu, 21 Sep 1995 12:12:37 -0400
Cc: ipsec@ans.net
In-Reply-To: rja's message of Wed, 20 Sep 1995 19:57:21 -0400. <199509202358.AA19968@interlock.ans.net>

-----BEGIN PGP SIGNED MESSAGE-----

content-type: text/plain; charset=us-ascii

This is changing the subject slightly, but I've been meaning to bring
this up since Stockholm.

There's another problem with using UDP for photuris, in situations
where multiple principals are active on both hosts involved in the
exchange.  

[I'm being intentionally vague about what principals and principal
names are, as it's not really relevant to the discussion.]

If there's more than one long-term certified key on a responder,
initiators need some way to either select between them, or provide
enough information to the responder to allow it to make the correct
choice for it.

Currently, the photuris drafts state 

   When both parties initiate Photuris key establishment concurrently,
   or one party initiates more than one Photuris session, the UDP Ports
   keep the sessions separate. 

Given this, I can see how to do "host-to-host" and "user-to-host", but
not "user-to-user" or "host-to-user".  

In short, if the initiator picks a random client port, and always
sends to a well-known port, there's no way in the current Photuris
protocol for the initiator to select among multiple principals on the
responder host.

I can think of several ways to do this -- either by "principal name"
or by transport endpoint -- but it's just not in there right now.

I'll note in passing that in DCE, we had situations where application
writers did *not* want to be burdened with the duty of figuring out
what the responder's principal name was in advance -- they wanted to
connect to the responder, find out who it was, and then apply an
authorization check based on the identity of the responder.

					- Bill




-----BEGIN PGP SIGNATURE-----
Version: 2.6.1

iQCUAwUBMGGO8lpj/0M1dMJ/AQENVQP4tYwpW7X5D8dRrHzUCNUEYNI56J8KUfvZ
u2L3Nljrz9gXPqt27eJu/WFFVukDCQuqfCnnqpZ9dcOjuv29Zok8Q1WCteNKb7WL
vl1F4dgLAyiKjyE/mbfUTj7spwkWD6CvyJObwjumhp9UN/CEi1NdJmzBUrNrCz7z
R83jLkPotw==
=TViS
-----END PGP SIGNATURE-----

References:

Use of UDP ports for Photuris

From: Ran Atkinson <rja@bodhi.cs.nrl.navy.mil>

Prev by Date: Re: Use of UDP ports for Photuris
Next by Date: Re: Use of UDP ports for Photuris
Prev by thread: Re: Use of UDP ports for Photuris
Next by thread: Re: Use of UDP ports for Photuris
Index(es):
- Main
- Thread