[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNS? was Key Management

To: John Gilmore <gnu@toad.com>
Subject: Re: DNS? was Key Management
From: "C. Harald Koch" <chk@border.com>
Date: Thu, 15 Aug 1996 11:04:12 -0400
Cc: ipsec@TIS.COM
In-Reply-To: Your message of "Wed, 14 Aug 1996 19:55:59 -0400". <199608142356.QAA08155@toad.com>
References: <199608142356.QAA08155@toad.com>
Sender: ipsec-approval@neptune.tis.com

In message <199608142356.QAA08155@toad.com>, John Gilmore writes:
> 
> However, IPSEC only authenticates to IP addresses.  There's no further
> identification in the IPSEC packets.  Even if usernames or hostnames
> are used in generating keys, there's no well-defined way to get that
> information back to an application; all it has is getpeername().

Since when? It was my understanding that IPsec authenticated to the nebulous
concept of a "key owner", which could be a single user, a host, or even a
set of hosts (say, behind a crypto-gateway?).

As for authorization, the most common use I see for IPsec, in the short
term, is to secure 'standard' A&A techniques (such as OTP, challenge
response cards, etc.) from network-layer based attacks. After all, if I can
trust that a TCP session has not been tampered with, then I can make
stronger trust decisions about OTP or token based authentication of the user
at the end of the tunnel, right?

-- 
Harald Koch
chk@border.com

References:

Re: DNS? was Key Management

From: John Gilmore <gnu@toad.com>

Prev by Date: I-D ACTION:draft-ietf-ipsec-skip-07.txt
Next by Date: ...draft ...*skip*...
Prev by thread: Re: DNS? was Key Management
Next by thread: Re: DNS? was Key Management
Index(es):
- Main
- Thread