[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmp/doi questions: fine-grained keying..

To: ipsec@tis.com
Subject: isakmp/doi questions: fine-grained keying..
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Thu, 19 Jun 1997 19:10:27 -0400
Sender: owner-ipsec@ex.tis.com

I'm trying to figure out how to implement fine-grained
per-transport-connection SA's with isakmp.

section 4.6.2 includes space for a port number, and says:

   The Identification Payload is used to identify the initiator of the
   Security Association.  The identity of the initiator SHOULD be used
   by the responder to determine the correct host system security policy
   requirement for the association.  For example, a host might choose to
   require data origin authentication without confidentiality (AH) from
   a certain set of IP addresses and full authentication with
   confidentiality (Hughes) from another range of IP addresses.  The
   Identification Payload provides information that can be used by the
   responder to make this decision.

it also specifies:

     o  Protocol ID (1 octet) - Value specifying an associated
        IP protocol ID (e.g. UDP/TCP).  A value of zero means that the
        Protocol ID field should be ignored.

     o  Port (2 octets) - Value specifying an associated port.
        A value of zero means that the Port field should be ignored.

It does not specify whether the port number is the port on the
initiator's host or the responder's host; this could be specified more
clearly.

In the event that the responding host supports multiple certifiable
identities, an important part of responder security policy is knowing
which identity to attach to the responder's end of the SA.

As it stands, the protocol does not provide the responder with enough
information to know which identity/certificate should be used to
authenticate the responder's half of the exchange.  

This is especially relevant when encryption will be used by the
underlying SA... you don't want to send something encrypted unless you
know who's going to be able to decrypt it.

I think you need to include both source and destination ports
*somewhere* in the protocol, but I'm not entirely sure this works best
in the phase I exchange, either.  I'll see if I can come up with a
more concrete alternative proposal in the next few days.

				- Bill

Follow-Ups:

Re: isakmp/doi questions: fine-grained keying..

From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>

Prev by Date: Re: What price security?
Next by Date: Re: What price security?
Next by thread: Re: New draft -- IPSEC AH
Index(es):
- Main
- Thread