[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH/ESP & Replay Protection



>One of the problems is figuring out what the effective protections were
>on the data, passing that information to the policy engine, and informing
>the application of what protections it got.

Ahh, this is an important issue.

My current view is that a nice way to pass the information to the
policy engine is using "key K says data D" notation, instead of
"ip->ip_src says data D".

This handles nested packets very nicely; for instance, the packet
IP1-AH1-*-AH2-payload translates into (essentially)
        "key K1 and K2 say payload".
(Since AH protects the IP header, the real statement is actually a
bit stronger than that.)

Then the policy engine (in this view) should base all policy decisions
on key-based authentication, and never on IP source addresses.  IP
source addresses would become mainly a convenient "return-address"
to know where to send responses to, instead of security-critical values.

This is very similar to the approach presented in Lampson, Abadi,
Burrows, and Wobber's "Authentication in Distributed Systems:
Theory and Practice."

IMHO, this viewpoint captures AH's true cryptographic guarantees more
accurately than a IP-source-addr-based mechanism.

Still, I'll admit it probably still needs more fleshing out; and I
don't have any implementation experience with large policy engines,
so I'm a biased judge of its merits.

Any comments?