[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using Legacy Authentication for IPSRA (was : xauthrequirements: vulnerabilities)



sara,

>
>When an IPSec implementation is examining an IP packet against the SPD it has
>no clue which
>DNS name or DN name matches the IP addresses in the header.
>I think that the purpose of the authentication process is to bind a DN or DNS
>name to an
>IP address so that matching of a packet against the SPD is possible.

This is true for a security gateway, but not for a native end system
implementation.

>> IPsec does not support
>> authentication of a compound principle, or of a user and a system
>> independently.  It would not sense to do so unless there was a
>> corresponding SPD entry type for compound principles.
>
>I don't think IPSec needs to support compound principles.
>I do think that we need to define requirements from the authentication
>process that binds between the DN and the IP address. I think this should
>be an IPSec extension, and part of the IPSRA work.
>In this context I think this taxonomy is helpful.

I think that the existing architecture provides for binding between any of
the approved name forms and the IP addresses used in an SA.  In order to
support name (vs. address) entries in an SPD in a security gateway, a
compliant implementation must already be able to do this, so it's not an
extension.

Steve


References: