[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: application layer cross checking



There is (currently) no API available to do what you want.
One reason is that IPSec authentication need not be user-based
authentication, so how would you pass that up to an application
and what good would it do?

-derek

Michael Thomas <mat@cisco.com> writes:

> I've had a nagging question for a long time which
> I'm hoping that somebody can shed some light on.
> 
> Suppose I have a linux box running Freeswan
> talking to a Solaris 8 box. Suppose also that we
> have a way to mutually authenticate each other at
> the IPsec level (pre-shared, certs, whatever).
> Suppose also that this is just a transport mode
> SA. Is there any API which prevents the following
> kind of attack?
> 
> Mike's-box		Server
> ------------------------------
> ----------------------------->
> IKE: DN=mike@mtcc.com
> 
> <-----------------------------
> IKE: DN=server@server.com
> 
> ----------------------------->
> SIP: INVITE 
> From: gwb@whitehouse.gov
> [...]
> 
> <-----------------------------
> 200 OK, George
> 
> 
> Ie, that I can authenticate myself for IPsec, but
> forge my credentials at L7. I would expect that
> there should be an API to get the credentials
> presented for IPsec back up to the app. My
> understanding is that Microsoft doesn't provide
> any kernel API at all, and I didn't immediately
> see anything in PFKEY, though I didn't look hard
> so feel free to flame me.
> 
> If there's not such an API, what was the reason?
> This would seem like a pretty heavy burden to
> recreate all of the identity machinery at the app
> level to cover this attack.
> 
> 	       Mike

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available


Follow-Ups: References: