[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Theodore Y. Ts'o: Re: Daemon Recovery]


Charlie gave me permission to forward his e-mail to me to the list;
below is his obersvations, followed by my reply.  

It seems pretty obvious, but given that our previous conversation had
talked about "host", and we hadn't really thought about the
user-oriented keying, it seems appropriate to remind ourselves that
host-based keying might not be all there is.

						- Ted

------- Forwarded Message

Date: Wed, 17 Sep 1997 23:15:36 -0400
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: Charles Lynn <clynn@BBN.COM>
Cc: "Theodore Y. Ts'o" <tytso@MIT.EDU>
In-Reply-To: Charles Lynn's message of Wed, 17 Sep 97 17:00:18 EDT,
	<9709172100.AA26988@MIT.EDU>
Subject: Re: Daemon Recovery
Address: 1 Amherst St., Cambridge, MA 02139
Phone: (617) 253-8091

   Date:     Wed, 17 Sep 97 17:00:18 EDT
   From: Charles Lynn <clynn@BBN.COM>

   > A better solution might be to include in the ISAKMP negotiations a
   > notification that at the successful conclusion of this SPI
   > negotiation, all other SPI's for the same host should be discarded.
   > What do other people think?

   Does this mean that if I setup a new SPI, I can wipe yours out?
   Sounds like DOS.

You bring up a good point; in the case of user-based keying, life
becomes much more difficult.   I think most folks were assuming that the
keys in use were host (TCB) based, not user-based --- or at the very
least, unprivileged users would not have access to the keying material.

I'd think the right thing to do is to specify that when you finish
negotiating an SPI, you can invalidate all previous SPI's corresponding
to the same public key which was used to establish the new SPI.  This
would work for either host or user based keying.

						- Ted

P.S.  May I forward your observation, and my response, to the ipsec
list?


------- End Forwarded Message
Follow-Ups: