[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: application layer cross checking
There is (currently) no API available to do what you want.
One reason is that IPSec authentication need not be user-based
authentication, so how would you pass that up to an application
and what good would it do?
-derek
Michael Thomas <mat@cisco.com> writes:
> I've had a nagging question for a long time which
> I'm hoping that somebody can shed some light on.
>
> Suppose I have a linux box running Freeswan
> talking to a Solaris 8 box. Suppose also that we
> have a way to mutually authenticate each other at
> the IPsec level (pre-shared, certs, whatever).
> Suppose also that this is just a transport mode
> SA. Is there any API which prevents the following
> kind of attack?
>
> Mike's-box Server
> ------------------------------
> ----------------------------->
> IKE: DN=mike@mtcc.com
>
> <-----------------------------
> IKE: DN=server@server.com
>
> ----------------------------->
> SIP: INVITE
> From: gwb@whitehouse.gov
> [...]
>
> <-----------------------------
> 200 OK, George
>
>
> Ie, that I can authenticate myself for IPsec, but
> forge my credentials at L7. I would expect that
> there should be an API to get the credentials
> presented for IPsec back up to the app. My
> understanding is that Microsoft doesn't provide
> any kernel API at all, and I didn't immediately
> see anything in PFKEY, though I didn't look hard
> so feel free to flame me.
>
> If there's not such an API, what was the reason?
> This would seem like a pretty heavy burden to
> recreate all of the identity machinery at the app
> level to cover this attack.
>
> Mike
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
Follow-Ups:
References: