[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Nodes and Users
> From: rivest@theory.lcs.mit.edu (Ron Rivest)
> IPSEC needs to provide EXPLICT answers to these questions. The Photuris
> spec needs to be based on these answers. This cannot be swept under the
> rug any longer.
>
No rug sweeping has been attempted, we have discussed this at length in
the Security Architecture.
> * On page 2 of the Photuris draft, it is said that the Security Association
> is established between "two nodes". What is a node??? (A machine with
> an IP address??)
>
A node is a standard well-known IP term for an entity with one or more
interfaces. Interfaces have IP addresses.
> * On page 45 of the Photuris draft, it is specified that the Certificate
> (when MD5 is the `Signature Choice') is an "email address". Are we
> envisioning that the Security Association may link users? (I imagine
> that some would like the answer to be "yes".) Or was this intended
> merely to be an IP address?
>
User oriented keying is a fundamental goal of IPSec. Again, RFC-1525.
> The problem:
>
> If I try to establish a Security Association with a specific user, or
> a specific process, on another machine, then I need some way to specify
> who I wish to talk to in my initial Key_Request.
>
Nope. Process selection is done with the headers _inside_ AH or ESP.
> With Photuris as it is, the Responder is not identified by the Photuris
> initiator to any finer granularity than the IP address to which the
> Photuris packets are sent.
>
Correct.
Right up until the Signature exchange. But I already have language to
this effect:
To provide user-oriented keying, or create multiple Security
Associations with different parameters, the sender can either
initiate multiple Photuris exchanges, or send a Change_Message.
The Destination MUST be capable of maintaining multiple Security
Associations (SPI values) for each Source.
It is the responsibility of the Source to internally segregate the
different session-keys provided by the Destination.
> If the intent is to support Security Associations between entities at
> some other level of granularity, then the initiator needs to be able
> to name who (or which process, whatever) at that IP address he desires
> to communicate with.
>
We've talked about this, but currently the protocol only specifies who
the SA is _from_.
The initiator decides to start a Photuris exchange when:
1) it has a datagram which it wishes to send with privacy.
2) it has received an ICMP message from a destination which indicates a
requirement for authentication.
Other needs to initiate a Photuris exchange are likely to be a matter
for considerable debate. (and thus have been left out)
> As it stands, Photuris apparently only supports the establishment of
> Security Associations between entities named by IP addresses. Is this
> what is intended?
>
It establishes shared-secrets between a user and an IP address (in the
case of a server).
Of course, the two most likely scenarios are machine to machine
(firewalls making virtual private networks), or user to user (one person,
at least one CPU)!
Bill.Simpson@um.cc.umich.edu
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2
Follow-Ups: