[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Per-socket policy and ISAKMP
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Dan" == Dan McDonald <danmcd@Eng.Sun.Com> writes:
Dan> and HMAC-SHA-1, and has a global policy that all traffic except
Dan> ISAKMP requires the use of AH, regardless of algorithm. This global
Dan> policy information is easily available to ISAKMP so it can negotiate
Dan> AH services effectively.
Okay.
Dan> The second session, however, is a passive session (e.g. a TCP or UDP
Dan> listener). Some other machine will send the initial packet, and
Dan> before that, an ISAKMP request. If some other machine requests
Dan> HMAC-MD5 for this session, two things can happen. If my ISAKMP is
Dan> not aware that the particular passive session requires SHA-1, the
Dan> ISAKMP negotiation will succeed, but packets will be dropped because
Dan> of per-session policy failure. (I.e. "I got AH with MD5, but I
I think the trick is here: ISAKMP "not aware" --- ISAKMP must be aware
of policy.
Dan> My question is, which is preferable? Do per-socket aberrations to
Dan> global policy get expressed to key management? Or do they not get
Dan> expressed?
Let's do the reverse: say the machine wants HMAC-SHA1 and the socket
requests MD5. Well two things are possible: the system gives it MD5,
violating it's own policy, or it takes the "most secure union" of the two.
But, maybe the caller is root, and is allowed to override policy?
Dan> If the answer is the former, BTW, look for a new PF_KEY message
Dan> that'll express this to a KMd. (It'll be a passive-side counterpart
Dan> to the ACQUIRE message.)
Yes, I think that is a good thing. I didn't realize it wasn't already there.
:!mcr!: | Sandelman Software Works Corporation, Ottawa, ON
Michael Richardson |Network and security consulting and contract programming
Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBNMkAq9iXVu0RiA21AQG2TQMAnCUiu9UH4Z2QjPxUAmsIEe8Ls7osEJ5Q
iM/ELXXtTHScNXWhva9i8KpFNNYzzn0EPZhJCMFHLlfmkGJ+3dIQfy7wmjp2vOFf
DoM0RoYc6z8XtYxlEI0d4AGgyNvRSE+T
=imkn
-----END PGP SIGNATURE-----
Follow-Ups:
References: