[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: application layer cross checking



Derek Atkins writes:
 > Because applications may not be ipsec peers...  Or, in most cases,
 > ipsec will be host-based, not user-based?

   What's the difference? Why shouldn't I be able to
   tell the socket layer which identity I want it 
   to use for a particular 5-tuple, and the receiving
   end be able to verify that, including the application
   layer being able to cross check? 
 
   If you can't do that, it sure seems like transport
   mode is severely hamstrung. As in, why bother?

	   Mike

 > 
 > -derek
 > 
 > Michael Thomas <mat@cisco.com> writes:
 > 
 > > Derek Atkins writes:
 > >  > There is (currently) no API available to do what you want.
 > >  > One reason is that IPSec authentication need not be user-based
 > >  > authentication, so how would you pass that up to an application
 > >  > and what good would it do?
 > > 
 > >    Well, for one thing it could prevent this attack. Isn't
 > >    that enough? I'm aware that there may be situations
 > >    where the two may differ, but there are probably 
 > >    an equal number where identities are the same, so
 > >    why should each application have to roll its own
 > >    identity module in that case?
 > > 
 > > 		  Mike
 > > 
 > >  > 
 > >  > -derek
 > >  > 
 > >  > Michael Thomas <mat@cisco.com> writes:
 > >  > 
 > >  > > I've had a nagging question for a long time which
 > >  > > I'm hoping that somebody can shed some light on.
 > >  > > 
 > >  > > Suppose I have a linux box running Freeswan
 > >  > > talking to a Solaris 8 box. Suppose also that we
 > >  > > have a way to mutually authenticate each other at
 > >  > > the IPsec level (pre-shared, certs, whatever).
 > >  > > Suppose also that this is just a transport mode
 > >  > > SA. Is there any API which prevents the following
 > >  > > kind of attack?
 > >  > > 
 > >  > > Mike's-box		Server
 > >  > > ------------------------------
 > >  > > ----------------------------->
 > >  > > IKE: DN=mike@mtcc.com
 > >  > > 
 > >  > > <-----------------------------
 > >  > > IKE: DN=server@server.com
 > >  > > 
 > >  > > ----------------------------->
 > >  > > SIP: INVITE 
 > >  > > From: gwb@whitehouse.gov
 > >  > > [...]
 > >  > > 
 > >  > > <-----------------------------
 > >  > > 200 OK, George
 > >  > > 
 > >  > > 
 > >  > > Ie, that I can authenticate myself for IPsec, but
 > >  > > forge my credentials at L7. I would expect that
 > >  > > there should be an API to get the credentials
 > >  > > presented for IPsec back up to the app. My
 > >  > > understanding is that Microsoft doesn't provide
 > >  > > any kernel API at all, and I didn't immediately
 > >  > > see anything in PFKEY, though I didn't look hard
 > >  > > so feel free to flame me.
 > >  > > 
 > >  > > If there's not such an API, what was the reason?
 > >  > > This would seem like a pretty heavy burden to
 > >  > > recreate all of the identity machinery at the app
 > >  > > level to cover this attack.
 > >  > > 
 > >  > > 	       Mike
 > >  > 
 > >  > -- 
 > >  >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
 > >  >        Member, MIT Student Information Processing Board  (SIPB)
 > >  >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
 > >  >        warlord@MIT.EDU                        PGP key available
 > 
 > -- 
 >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
 >        Member, MIT Student Information Processing Board  (SIPB)
 >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
 >        warlord@MIT.EDU                        PGP key available


Follow-Ups: References: