[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: application layer cross checking
Because applications may not be ipsec peers... Or, in most cases,
ipsec will be host-based, not user-based?
-derek
Michael Thomas <mat@cisco.com> writes:
> Derek Atkins writes:
> > There is (currently) no API available to do what you want.
> > One reason is that IPSec authentication need not be user-based
> > authentication, so how would you pass that up to an application
> > and what good would it do?
>
> Well, for one thing it could prevent this attack. Isn't
> that enough? I'm aware that there may be situations
> where the two may differ, but there are probably
> an equal number where identities are the same, so
> why should each application have to roll its own
> identity module in that case?
>
> Mike
>
> >
> > -derek
> >
> > Michael Thomas <mat@cisco.com> writes:
> >
> > > I've had a nagging question for a long time which
> > > I'm hoping that somebody can shed some light on.
> > >
> > > Suppose I have a linux box running Freeswan
> > > talking to a Solaris 8 box. Suppose also that we
> > > have a way to mutually authenticate each other at
> > > the IPsec level (pre-shared, certs, whatever).
> > > Suppose also that this is just a transport mode
> > > SA. Is there any API which prevents the following
> > > kind of attack?
> > >
> > > Mike's-box Server
> > > ------------------------------
> > > ----------------------------->
> > > IKE: DN=mike@mtcc.com
> > >
> > > <-----------------------------
> > > IKE: DN=server@server.com
> > >
> > > ----------------------------->
> > > SIP: INVITE
> > > From: gwb@whitehouse.gov
> > > [...]
> > >
> > > <-----------------------------
> > > 200 OK, George
> > >
> > >
> > > Ie, that I can authenticate myself for IPsec, but
> > > forge my credentials at L7. I would expect that
> > > there should be an API to get the credentials
> > > presented for IPsec back up to the app. My
> > > understanding is that Microsoft doesn't provide
> > > any kernel API at all, and I didn't immediately
> > > see anything in PFKEY, though I didn't look hard
> > > so feel free to flame me.
> > >
> > > If there's not such an API, what was the reason?
> > > This would seem like a pretty heavy burden to
> > > recreate all of the identity machinery at the app
> > > level to cover this attack.
> > >
> > > Mike
> >
> > --
> > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > Member, MIT Student Information Processing Board (SIPB)
> > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> > warlord@MIT.EDU PGP key available
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
Follow-Ups:
References: