[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: application layer cross checking

To: Derek Atkins <warlord@mit.edu>
Subject: Re: application layer cross checking
From: Michael Thomas <mat@cisco.com>
Date: Thu, 3 May 2001 12:42:19 -0700 (PDT)
Cc: Michael Thomas <mat@cisco.com>, ipsec@lists.tislabs.com
In-Reply-To: <sjmy9se9qbj.fsf@rcn.ihtfp.org>
References: <15089.43447.409138.295986@thomasm-u1.cisco.com><sjmy9se9qbj.fsf@rcn.ihtfp.org>
Sender: owner-ipsec@lists.tislabs.com

Derek Atkins writes:
 > There is (currently) no API available to do what you want.
 > One reason is that IPSec authentication need not be user-based
 > authentication, so how would you pass that up to an application
 > and what good would it do?

   Well, for one thing it could prevent this attack. Isn't
   that enough? I'm aware that there may be situations
   where the two may differ, but there are probably 
   an equal number where identities are the same, so
   why should each application have to roll its own
   identity module in that case?

		  Mike

 > 
 > -derek
 > 
 > Michael Thomas <mat@cisco.com> writes:
 > 
 > > I've had a nagging question for a long time which
 > > I'm hoping that somebody can shed some light on.
 > > 
 > > Suppose I have a linux box running Freeswan
 > > talking to a Solaris 8 box. Suppose also that we
 > > have a way to mutually authenticate each other at
 > > the IPsec level (pre-shared, certs, whatever).
 > > Suppose also that this is just a transport mode
 > > SA. Is there any API which prevents the following
 > > kind of attack?
 > > 
 > > Mike's-box		Server
 > > ------------------------------
 > > ----------------------------->
 > > IKE: DN=mike@mtcc.com
 > > 
 > > <-----------------------------
 > > IKE: DN=server@server.com
 > > 
 > > ----------------------------->
 > > SIP: INVITE 
 > > From: gwb@whitehouse.gov
 > > [...]
 > > 
 > > <-----------------------------
 > > 200 OK, George
 > > 
 > > 
 > > Ie, that I can authenticate myself for IPsec, but
 > > forge my credentials at L7. I would expect that
 > > there should be an API to get the credentials
 > > presented for IPsec back up to the app. My
 > > understanding is that Microsoft doesn't provide
 > > any kernel API at all, and I didn't immediately
 > > see anything in PFKEY, though I didn't look hard
 > > so feel free to flame me.
 > > 
 > > If there's not such an API, what was the reason?
 > > This would seem like a pretty heavy burden to
 > > recreate all of the identity machinery at the app
 > > level to cover this attack.
 > > 
 > > 	       Mike
 > 
 > -- 
 >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
 >        Member, MIT Student Information Processing Board  (SIPB)
 >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
 >        warlord@MIT.EDU                        PGP key available

Follow-Ups:

Re: application layer cross checking

From: Derek Atkins <warlord@mit.edu>

Re: application layer cross checking

From: Henry Spencer <henry@spsystems.net>

References:

application layer cross checking

From: Michael Thomas <mat@cisco.com>

Re: application layer cross checking

From: Derek Atkins <warlord@mit.edu>

Prev by Date: Re: application layer cross checking
Next by Date: Re: application layer cross checking
Prev by thread: Re: application layer cross checking
Next by thread: Re: application layer cross checking
Index(es):
- Main
- Thread