[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "user" and "network layer" security mechanisms.

To: Matt Thomas <matt@lkg.dec.com>
Subject: Re: "user" and "network layer" security mechanisms.
From: Charles Watt <watt@sware.com>
Date: Tue, 20 Aug 1996 17:05:42 -0400 (EDT)
Cc: watt@sware.com, ipsec@TIS.COM
In-Reply-To: <199608201625.QAA12066@whydos.lkg.dec.com> from "Matt Thomas" at Aug 20, 96 04:25:57 pm
Sender: ipsec-approval@neptune.tis.com

-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-Certificate:
 MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG
 A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj
 dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw
 MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl
 Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT
 DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB
 AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf
 1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA
 A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK
 aTxjgASxqHhzkx7PkOnL4JrN+Q==
MIC-Info: RSA-MD5,RSA,
 AVo1Xh4yR+G5j3ixIrot6HfjbqBQoset/frbmjzM2IWwJfxzlUMIisGqa5NoiXnt
 eaEHfx630VXVlY0KLEun+V8=

> Matt Thomas wrote:
> 
> > I think you are missing the point Perry.  For example, if you have six 
> > concurrent users of an X.400 product that makes use of an RFC 1006 
> > convergence module for its OSI "transport connections", you wind up with
> > user data from six user-level security associations multiplexed over a
> > single TCP connection.
> 
> Sorry, that's impossible.  RFC 1006 (and RFC 1859) only allows one OSI
> transport connection per TCP connection; multiplexing multiple connections
> is specificly not allowed.  Therefore there is always a one-to-one mapping.

Upon review of the spec, you are correct. It appears that my memory is not
immune to age afterall.  However, I've looked at the source to our vendor's 
RFC 1006 streams module and the basic problem remains.  It internally 
manages a pool of TCP endpoints, maintaining its own internal binding 
between TP0 connection and TCP connection.  There is no way software 
at the IP layer can correlate the TCP connection back to the originating
process without substantial modification to this product.  This renders 
user-level authentication within IPSEC useless for any application running 
upon this transport.

Pick at the specifics all you want, the basic point remains valid.  The
Internet stack was designed to permit multiplexing above IP.  There are
several things out there that do this.  User-level authentication within
IPSEC cannot work for these products unless they are substantially
modified.

Charlie Watt
SecureWare

-----END PRIVACY-ENHANCED MESSAGE-----

Follow-Ups:

Re: "user" and "network layer" security mechanisms.

From: "Angelos D. Keromytis" <aggelos@soscorp.com>

References:

Re: "user" and "network layer" security mechanisms.

From: Matt Thomas <matt@lkg.dec.com>

Prev by Date: Re: "user" and "network layer" security mechanisms.
Next by Date: Re: "user" and "network layer" security mechanisms.
Prev by thread: Re: "user" and "network layer" security mechanisms.
Next by thread: Re: "user" and "network layer" security mechanisms.
Index(es):
- Main
- Thread