[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNS? was Key Management

To: John Gilmore <gnu@toad.com>
Subject: Re: DNS? was Key Management
From: wobber@pa.dec.com
Date: Wed, 14 Aug 96 18:27:07 -0700
Cc: ipsec@TIS.COM
In-Reply-To: Message of Wed, 14 Aug 1996 16:55:59 -0700 from John Gilmore <gnu@toad.com> <199608142356.QAA08155@toad.com>
MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
Sender: ipsec-approval@neptune.tis.com


>>    However, IPSEC only authenticates to IP addresses.  There's no further
>>    identification in the IPSEC packets.  Even if usernames or hostnames
>>    are used in generating keys, there's no well-defined way to get that
>>    information back to an application; all it has is getpeername().

Isn't it the case that IPSEC packets are bound to security associations, 
and that security associations are sufficient to identify all sorts 
of communicating entities (not just IP addresses)?  If so, then the 
proposed protocols should support authentication within multiple 
namespaces/trust domains.   The problem is how to standardize an appropriate 
API for managing the security associations appurtenant to communications 
channels. 

While I agree that authentication of fixed IP addresses probably 
constitutes a "sweet spot", it would be unfortunate if this ruled 
out other forms of authentication appropriate to security-aware applications. 

Regards,

Ted Wobber
DEC Systems Research Center

Prev by Date: Re: DNS? was Key Management
Next by Date: I-D ACTION:draft-ietf-ipsec-skip-07.txt
Prev by thread: Re: DNS? was Key Management
Next by thread: Re: DNS? was Key Management
Index(es):
- Main
- Thread