Re: MM with signatures and dynamic IP addresses?

[francisco_corella@hp.com]

Scott,

   <<
     I think that there must be some implied delegation. The problem here 
     is that if we don't provide some delegation mechanism, we run the risk 
     that some sgw may claim to represent an endpoint with access to our 
     network, and that someone may now put (spoofed) packets into the 
     tunnel. That sgw may be one that is granted access for some purpose, 
     but that we do not expect to represent the particular endpoint that it 
     subsequently impersonates. Nobody else (e.g routers along the way) can 
     see that this is occurring.
   >>
   
I'm not sure I understand all the details of the scenario you are 
describing.  Here are two comments (which may not be applicable if I have 
misunderstood):

(*) If the endpoint trusts the sgw sufficiently to delegate its 
capabilities to it, why wouldn't the peer that is negociating with the sgw 
trust the sgw?

(*) Wouldn't it be simpler set up a tunnel to the sgw, and then go through 
that tunnel to reach the endpoint and do an IKE exchange directly with the 
endpoint?
     
   <<
     By "one policy for phase 1" do you refer only to cryptographic parameters 
     (and not identities or authentication mechanisms), i.e all phase 1 SAs use 
     3DES/SHA1?
   >>
   
I refer to all the attributes that can be negociated in phase 1 using the SA 
payload and associated proposal and transform payloads.  These attributes are 
listed in Appendix A of the 5/99 Ike draft.

In particular, that includes the authentication mechanism.  For example, an 
ipsec administrator of an ipsec peer that implements preshared keys and 
signatures would have four choices for the phase 1 policy concerning the 
authentication mechanism:

(1) Use either preshared keys or signatures, with preshared keys preferred over 
signatures

(2) Use either preshared keys or signatures, with signatures preferred over 
preshared keys

(3) Use only preshared keys

(4) Use only signatures

Now suppose there are two such ipsec peers, and option (1) has been chosen for 
both of them.  Then the initiator will propose preshared keys as first choice, 
and signatures as second choice.  The responder also prefers preshared keys.  
However, the responder should first look up its database of preshared keys and 
check that it has a preshared key with the initiator.  If this is not the case, 
then the responder should choose signatures instead.

Can the responder do the preshared key lookup?  It definitely can in aggressive 
mode, since it has already received the Idi1 payload in message 1 by the time it
has to send the SA payload in message 2.  In main mode, on the other hand, the 
responder does not receive the Idi1 payload until message 5.  

But that's ok, because in main mode with preshared keys, the source IP addresses
are supposed to be used for identification instead of the ID payloads.  The 
responder will use the source IP address of the initiator to look up the 
database of preshared keys.  If a preshared key is not found for the source IP 
address of the initiator, then the responder will choose signatures instead.  
Authentication will then use the ID payloads exchanged in messages 5 and 6.

(By the way, that would not be ok if my recent proposal or other earlier 
proposals to fix main mode with preshared keys had been accepted.  So this could
be an argument against those proposals.  I'm now thinking that the best thing to
do about main mode with preshared keys would be to drop it altogether, since it 
does not seem to serve any useful purpose.  The advantage of main mode over 
aggressive mode is that it provides identity protection, but that advantage goes
away if the identity is the source IP address.  So why use main mode, which 
takes six messages, when aggressive mode does the same job with only three 
messages?)

Francisco


______________________________ Reply Separator _________________________________
Subject: Re: MM with signatures and dynamic IP addresses?
Author:  Non-HP-skelly (skelly@redcreek.com) at HP-ColSprings,mimegw5
Date:    12/22/99 1:44 PM


Hi Francisco,
     
francisco_corella@hp.com wrote:
     
<trimmed...>
     
> The way I interpret the Ike spec, the security gateway is simply trusted to ac
t
> on behalf of its clients and to vouch for the identity of its clients, without
> any cryptographic delegation of authority.  But one could do what you say if
> that trust is not there.
     
I think that there must be some implied delegation. The problem here is 
that if we don't provide some delegation mechanism, we run the risk that 
some sgw may claim to represent an endpoint with access to our network, 
and that someone may now put (spoofed) packets into the tunnel. That sgw 
may be one that is granted access for some purpose, but that we do not 
expect to represent the particular endpoint that it subsequently 
impersonates. Nobody else (e.g routers along the way) can see that this 
is occurring.
     
One way to provide for such delegation is to configure, as part of the 
phase 2 requirements, some phase 1 requirements including phase 1 
identities.
     
>  In any event, I think this is orthogonal to the
> question of whether it is OK to have only one policy for phase 1, independent 
of
> the identity of the peer.
     
By "one policy for phase 1" do you refer only to cryptographic 
parameters (and not identities or authentication mechanisms), i.e all 
phase 1 SAs use 3DES/SHA1?
     
Scott

---

References:

• Re: MM with signatures and dynamic IP addresses?
• From: "Scott G. Kelly" <skelly@redcreek.com>

---

• Prev by Date: I-D ACTION:draft-ietf-ipsec-isakmp-hybrid-auth-03.txt
• Next by Date: No Subject
• Prev by thread: Re: MM with signatures and dynamic IP addresses?
• Next by thread: Workshop CA's.....
• Index(es):
  • Main
  • Thread