[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Per-socket policy and ISAKMP



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Dan" == Dan McDonald <danmcd@Eng.Sun.Com> writes:
    Dan> and HMAC-SHA-1, and has a global policy that all traffic except
    Dan> ISAKMP requires the use of AH, regardless of algorithm.  This global
    Dan> policy information is easily available to ISAKMP so it can negotiate
    Dan> AH services effectively.

  Okay.

    Dan> The second session, however, is a passive session (e.g. a TCP or UDP
    Dan> listener).  Some other machine will send the initial packet, and
    Dan> before that, an ISAKMP request.  If some other machine requests
    Dan> HMAC-MD5 for this session, two things can happen.  If my ISAKMP is
    Dan> not aware that the particular passive session requires SHA-1, the
    Dan> ISAKMP negotiation will succeed, but packets will be dropped because
    Dan> of per-session policy failure.  (I.e. "I got AH with MD5, but I

  I think the trick is here: ISAKMP "not aware" --- ISAKMP must be aware
of policy. 

    Dan> My question is, which is preferable?  Do per-socket aberrations to
    Dan> global policy get expressed to key management?  Or do they not get
    Dan> expressed?

  Let's do the reverse: say the machine wants HMAC-SHA1 and the socket
requests MD5. Well two things are possible: the system gives it MD5,
violating it's own policy, or it takes the "most secure union" of the two. 
  But, maybe the caller is root, and is allowed to override policy?

    Dan> If the answer is the former, BTW, look for a new PF_KEY message
    Dan> that'll express this to a KMd.  (It'll be a passive-side counterpart
    Dan> to the ACQUIRE message.)

  Yes, I think that is a good thing. I didn't realize it wasn't already there.

   :!mcr!:            |  Sandelman Software Works Corporation, Ottawa, ON  
   Michael Richardson |Network and security consulting and contract programming
 Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
 Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>. 


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNMkAq9iXVu0RiA21AQG2TQMAnCUiu9UH4Z2QjPxUAmsIEe8Ls7osEJ5Q
iM/ELXXtTHScNXWhva9i8KpFNNYzzn0EPZhJCMFHLlfmkGJ+3dIQfy7wmjp2vOFf
DoM0RoYc6z8XtYxlEI0d4AGgyNvRSE+T
=imkn
-----END PGP SIGNATURE-----


Follow-Ups: References: