[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNS? was Key Management
- To: John Gilmore <gnu@toad.com>
- Subject: Re: DNS? was Key Management
- From: wobber@pa.dec.com
- Date: Wed, 14 Aug 96 18:27:07 -0700
- Cc: ipsec@TIS.COM
- In-Reply-To: Message of Wed, 14 Aug 1996 16:55:59 -0700 from John Gilmore <gnu@toad.com> <199608142356.QAA08155@toad.com>
- MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
- Sender: ipsec-approval@neptune.tis.com
>> However, IPSEC only authenticates to IP addresses. There's no further
>> identification in the IPSEC packets. Even if usernames or hostnames
>> are used in generating keys, there's no well-defined way to get that
>> information back to an application; all it has is getpeername().
Isn't it the case that IPSEC packets are bound to security associations,
and that security associations are sufficient to identify all sorts
of communicating entities (not just IP addresses)? If so, then the
proposed protocols should support authentication within multiple
namespaces/trust domains. The problem is how to standardize an appropriate
API for managing the security associations appurtenant to communications
channels.
While I agree that authentication of fixed IP addresses probably
constitutes a "sweet spot", it would be unfortunate if this ruled
out other forms of authentication appropriate to security-aware applications.
Regards,
Ted Wobber
DEC Systems Research Center