[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: isakmp/doi questions: fine-grained keying..

To: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Subject: Re: isakmp/doi questions: fine-grained keying..
From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
Date: Thu, 19 Jun 1997 20:00:00 +0100
cc: ipsec@tis.com
In-reply-to: Your message of "Thu, 19 Jun 1997 19:10:27 EDT." <199706192310.AA015331828@relay.hp.com>
Sender: owner-ipsec@ex.tis.com

-----BEGIN PGP SIGNED MESSAGE-----

In message <199706192310.AA015331828@relay.hp.com>, Bill Sommerfeld writes:
>It does not specify whether the port number is the port on the
>initiator's host or the responder's host; this could be specified more
>clearly.

If you check Quick Mode, you'll see that there are two IDs sent, 
IDii and IDir; these are (presumably) the identities of the
user-initiator and the user-responder, as known by the Initiator.
I would expect the Responder to verify those, then reverse the order
and send them back to the Initiator in the next message (i don't have
the draft around tho, so take this last with a grain of salt).

>I think you need to include both source and destination ports
>*somewhere* in the protocol, but I'm not entirely sure this works best
>in the phase I exchange, either.  I'll see if I can come up with a
>more concrete alternative proposal in the next few days.
>

I don't think you need to do this in the Phase I exchange; i would
expect that the IDs exchanged there are just IPv4 addresses, no ports.
Remember, Phase I identifies just the ISAKMP daemons, no users.

However, your question raises an interesting problem: what if i want
to encrypt the traffic of a particular TCP session but want to use my
certificate as user foo; as it stands right now, the protocol allows
for either but not both. I suspect that the way to authenticate TCP
sessions (but not all traffic from user A@host1 to user B@host2)
involves using secrets that depend on the IP address included in the
ID, i.e. no finer grain auth. is possible.
- -Angelos

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBM6nIAL0pBjh2h1kFAQEwnQP5Aauzksq6Swvcl+YLzbDDWar8mSAjQus0
7j66oef2UQIpFMQ0fgDj1qyfRoKl7OcIil33/NVcV9oC/4lL5Vg9diGqdNyYGb+d
UXyf/KiZBWVfV+DtcjA8LUg5pfcphk2RAs4Huf5GmVBYUPSfnejuITIwoGvTjjEw
TbDDBIDyyxQ=
=Wfg2
-----END PGP SIGNATURE-----

References:

isakmp/doi questions: fine-grained keying..

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

Prev by Date: DES-CBC brute forced.
Next by Date: What price security?
Next by thread: Re: New draft -- IPSEC AH
Index(es):
- Main
- Thread