[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: application layer cross checking
On Thu, 3 May 2001, Michael Thomas wrote:
> ...I'm aware that there may be situations
> where the two may differ, but there are probably
> an equal number where identities are the same, so
> why should each application have to roll its own
> identity module in that case?
If the application is passing around its own identities, then it is
perfectly reasonable for the application to have its own means of
verifying them. Even in your own example, note that IPsec works almost
entirely in terms of IP addresses, and the identity you're claiming it
should verify is based on a host *name*. Not the same thing at all,
and the mapping between them is non-trivial.
What IPsec perhaps *should* have an API for, is for asking "how sure are
you that packets claiming to be from 10.20.30.40 are really from him?"
(or, perhaps better, to say "I'm opening a connection to 10.20.30.40,
please give me only packets that you are sure came from him"). It will
still be necessary, in general, for an application to do its own thinking
about what that assurance implies.
What IPsec authentication gives us, ideally, is a world in which it is
impossible to forge source addresses or alter packet contents. While that
is useful, it is by no means the answer to all authentication problems.
Henry Spencer
henry@spsystems.net
Follow-Ups:
References: