[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKE DOIs (was Re: Agenda for the Minneapolis meeting )



Dan
   You mentioned a concern in your earlier note that parsing was problematic
because the DOI field is in the SA payload and parsing commences before
the context is identified.  I think we agree that this is not necessarily
inefficient.  Is it insecure?

At 03:11 PM 3/15/2001 -0800, Dan Harkins wrote:
>   They are "similar" but not "identical". Therefore they are different.
>
>   I'm sure the implementations you refer to are very efficient and also
>very secure. It is still a bad idea. The complexity of the daemon
>listening on that port grows and the security of every protocol becomes
>tied to whatever else is being multiplexed. An attack on the FOO exchange
>in the BAR DOI could be used to create bogus IPsec SAs.

    I don't see why it is more secure to have N independent key management
implementations updating the SAD, accessing private keys, and doing other 
things
that impact security rather than having them integrated into one 
implementation,
which can undergo a single security analysis.  I don't understand
why we would want to have one key management protocol used if there's
a unicast address in an ESP flow but a different key management protocol used
if there is a multicast address.  I don't see how this is more secure and it
sure doesn't make much sense to me.

Mark


>   Dan.
>
>On Thu, 15 Mar 2001 14:40:32 PST you wrote
> > Dan
> >     It would be one thing to run, say, nfs and ftp on the same port.
> > I would call that "running two different protocols on the same port."
> > That being one case, what do you call it when DOIs which use
> > similar payloads, similar exchanges, and the same header with
> > a switch to identify them are run on the same port?  It is misleading
> > to suggest that the first case is the same as the second.
> >
> > At 02:04 PM 3/15/2001 -0800, Dan Harkins wrote:
> > >   That just isn't true. KINK defines new payloads and is, itself, a
> > >new exchange. The group DOI is for multicast security and since IKE
> > >establishes a shared symmetric key between two parties and two parties
> > >only a new multicast key exchange has to be defined. Neither of these
> >
> > GDOI uses that pair-wise symmetric key.
> >
> > >things should speak out of UDP port 500.
> >
> > I don't know yet if sharing the same port among different DOIs
> > is an important issue but it's clear that the protocol is designed to
> > demultiplex exchanges that belong to different DOIs.  I know of
> > two implementations where this was implemented very efficiently.
> >
> > Mark
> >
> >
> > >   Dan.
> >


References: