[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
isakmp/doi questions: fine-grained keying..
I'm trying to figure out how to implement fine-grained
per-transport-connection SA's with isakmp.
section 4.6.2 includes space for a port number, and says:
The Identification Payload is used to identify the initiator of the
Security Association. The identity of the initiator SHOULD be used
by the responder to determine the correct host system security policy
requirement for the association. For example, a host might choose to
require data origin authentication without confidentiality (AH) from
a certain set of IP addresses and full authentication with
confidentiality (Hughes) from another range of IP addresses. The
Identification Payload provides information that can be used by the
responder to make this decision.
it also specifies:
o Protocol ID (1 octet) - Value specifying an associated
IP protocol ID (e.g. UDP/TCP). A value of zero means that the
Protocol ID field should be ignored.
o Port (2 octets) - Value specifying an associated port.
A value of zero means that the Port field should be ignored.
It does not specify whether the port number is the port on the
initiator's host or the responder's host; this could be specified more
In the event that the responding host supports multiple certifiable
identities, an important part of responder security policy is knowing
which identity to attach to the responder's end of the SA.
As it stands, the protocol does not provide the responder with enough
information to know which identity/certificate should be used to
authenticate the responder's half of the exchange.
This is especially relevant when encryption will be used by the
underlying SA... you don't want to send something encrypted unless you
know who's going to be able to decrypt it.
I think you need to include both source and destination ports
*somewhere* in the protocol, but I'm not entirely sure this works best
in the phase I exchange, either. I'll see if I can come up with a
more concrete alternative proposal in the next few days.