Re: application layer cross checking

[Derek Atkins <warlord@mit.edu>]

Because applications may not be ipsec peers...  Or, in most cases,
ipsec will be host-based, not user-based?

-derek

Michael Thomas <mat@cisco.com> writes:

> Derek Atkins writes:
>  > There is (currently) no API available to do what you want.
>  > One reason is that IPSec authentication need not be user-based
>  > authentication, so how would you pass that up to an application
>  > and what good would it do?
> 
>    Well, for one thing it could prevent this attack. Isn't
>    that enough? I'm aware that there may be situations
>    where the two may differ, but there are probably 
>    an equal number where identities are the same, so
>    why should each application have to roll its own
>    identity module in that case?
> 
> 		  Mike
> 
>  > 
>  > -derek
>  > 
>  > Michael Thomas <mat@cisco.com> writes:
>  > 
>  > > I've had a nagging question for a long time which
>  > > I'm hoping that somebody can shed some light on.
>  > > 
>  > > Suppose I have a linux box running Freeswan
>  > > talking to a Solaris 8 box. Suppose also that we
>  > > have a way to mutually authenticate each other at
>  > > the IPsec level (pre-shared, certs, whatever).
>  > > Suppose also that this is just a transport mode
>  > > SA. Is there any API which prevents the following
>  > > kind of attack?
>  > > 
>  > > Mike's-box		Server
>  > > ------------------------------
>  > > ----------------------------->
>  > > IKE: DN=mike@mtcc.com
>  > > 
>  > > <-----------------------------
>  > > IKE: DN=server@server.com
>  > > 
>  > > ----------------------------->
>  > > SIP: INVITE 
>  > > From: gwb@whitehouse.gov
>  > > [...]
>  > > 
>  > > <-----------------------------
>  > > 200 OK, George
>  > > 
>  > > 
>  > > Ie, that I can authenticate myself for IPsec, but
>  > > forge my credentials at L7. I would expect that
>  > > there should be an API to get the credentials
>  > > presented for IPsec back up to the app. My
>  > > understanding is that Microsoft doesn't provide
>  > > any kernel API at all, and I didn't immediately
>  > > see anything in PFKEY, though I didn't look hard
>  > > so feel free to flame me.
>  > > 
>  > > If there's not such an API, what was the reason?
>  > > This would seem like a pretty heavy burden to
>  > > recreate all of the identity machinery at the app
>  > > level to cover this attack.
>  > > 
>  > > 	       Mike
>  > 
>  > -- 
>  >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>  >        Member, MIT Student Information Processing Board  (SIPB)
>  >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>  >        warlord@MIT.EDU                        PGP key available

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

---

Follow-Ups:

• Re: application layer cross checking
• From: Michael Thomas <mat@cisco.com>
• Re: application layer cross checking
• From: Ramin Alidousti <ramin@uu.net>
• Re: application layer cross checking
• From: Michael Thomas <mat@cisco.com>

References:

• application layer cross checking
• From: Michael Thomas <mat@cisco.com>
• Re: application layer cross checking
• From: Derek Atkins <warlord@mit.edu>
• Re: application layer cross checking
• From: Michael Thomas <mat@cisco.com>

---

• Prev by Date: Re: application layer cross checking
• Next by Date: Re: application layer cross checking
• Prev by thread: Re: application layer cross checking
• Next by thread: Re: application layer cross checking
• Index(es):
  • Main
  • Thread