application layer cross checking

[Michael Thomas <mat@cisco.com>]

I've had a nagging question for a long time which
I'm hoping that somebody can shed some light on.

Suppose I have a linux box running Freeswan
talking to a Solaris 8 box. Suppose also that we
have a way to mutually authenticate each other at
the IPsec level (pre-shared, certs, whatever).
Suppose also that this is just a transport mode
SA. Is there any API which prevents the following
kind of attack?

Mike's-box		Server
------------------------------
----------------------------->
IKE: DN=mike@mtcc.com

<-----------------------------
IKE: DN=server@server.com

----------------------------->
SIP: INVITE 
From: gwb@whitehouse.gov
[...]

<-----------------------------
200 OK, George


Ie, that I can authenticate myself for IPsec, but
forge my credentials at L7. I would expect that
there should be an API to get the credentials
presented for IPsec back up to the app. My
understanding is that Microsoft doesn't provide
any kernel API at all, and I didn't immediately
see anything in PFKEY, though I didn't look hard
so feel free to flame me.

If there's not such an API, what was the reason?
This would seem like a pretty heavy burden to
recreate all of the identity machinery at the app
level to cover this attack.

	       Mike

---

Follow-Ups:

• Re: application layer cross checking
• From: Derek Atkins <warlord@mit.edu>
• Re: application layer cross checking
• From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
• Re: application layer cross checking
• From: Rick Smith at Secure Computing <rick_smith@securecomputing.com>
• Re: application layer cross checking
• From: Ramin Alidousti <ramin@uu.net>
• Re: application layer cross checking
• From: Ramin Alidousti <ramin@uu.net>

---

• Prev by Date: IPSec, dynamic IPv4 addresses and FreeBSD?
• Next by Date: Re: application layer cross checking
• Prev by thread: RE: IPSec, dynamic IPv4 addresses and FreeBSD?
• Next by thread: Re: application layer cross checking
• Index(es):
  • Main
  • Thread