[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Questions on the Security Arch. draft

To: ipsec@tis.com, svakil@usr.com
Subject: Re: Questions on the Security Arch. draft
From: Ran Atkinson <rja@inet.org>
Date: Fri, 14 Mar 97 01:11:19 GMT Standard Time
References: <32823C30.3000@usr.com>
Sender: owner-ipsec@ex.tis.com

--- On Thu, 13 Mar 1997 10:00:42 -0600  svakil@usr.com wrote:

>      Hi.  I had a question on section 1.4 of the Security Architecture 
>      draft (draft-ietf-ipsec-arch-sec-01.txt).  Specifically, the draft 
>      says :
>      
>      "A security gateway which receives a datagram containing a
>      recognised sensitivity label, for example IPSO [Ken91], from a trusted 
>      host MUST take that label's value into consideration when 
>      creating/selecting an Security Association for use with AH between the 
>      gateway and the external destination.  In such an environment, a 
>      gateway which receives a IP packet containing the IP Encapsulating 
>      Security Payload (ESP) should add appropriate authentication, 
>      including implicit (i.e. contained in the Security Association used) 
>      or explicit label information (e.g. IPSO), for the decrypted packet 
>      that it forwards to the trusted host that is the ultimate 
>      destination."
>      
>      I don't get the last part about the gateway adding authentication 
>      information for the decrypted packet.  Does this mean that the gateway 
>      uses the SA that it used to decrypt the packet, to generate the 
>      authentication info?  That really doesn't make sense to me since AH 
>      and ESP have separate SAs and also since any given security 
>      association is for use with one peer only.  Or, is it that the gateway 
>      has a security association with the trusted host and tunnels all the 
>      packets for that host using this SA?

If your system does not implement CIPSO and does not implement RFC-1038
or RFC-1108, then the above doesn't apply since those are just about
the only known sensitivity labels used with IPv4.

If your gateway implements one of those label systems (or is B1 or higher), 
then the gateway SHOULD use AH (or ESP) when transmitting the packet along 
to its final destination.  The IPsec SA used for transmitting the packet
along to its final destination MUST have a sensitivity label value
consistent with the sensitivity label associated with that packet when
it was received.

The goal here is to accurately maintain end-to-end integrity on the
sensitivity label of the data.  

If this is still confusing, send private email.  This is not a general
interest topic...

Ran
rja@inet.org

References:

Questions on the Security Arch. draft

From: svakil@usr.com

Prev by Date: Re: Questions on the Security Arch. draft
Next by Date: Re: PKI Signature format in ISAKMP -- proposal
Prev by thread: Re: Questions on the Security Arch. draft
Next by thread: PKI Signature format in ISAKMP -- proposal
Index(es):
- Main
- Thread