[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: application layer cross checking




Agreed. Even if the OS would pass the username or userid from
one end to another (by means of some other protocol) you still
need to challenge that id. Besides, it's called IPsec and meant
for secure communication through an IP network; application
level authentication is a different matter. You could do that
though, but it will not fit into the layered approach.

Ramin


On Thu, May 03, 2001 at 03:45:32PM -0400, Derek Atkins wrote:

> Because applications may not be ipsec peers...  Or, in most cases,
> ipsec will be host-based, not user-based?
> 
> -derek
> 
> Michael Thomas <mat@cisco.com> writes:
> 
> > Derek Atkins writes:
> >  > There is (currently) no API available to do what you want.
> >  > One reason is that IPSec authentication need not be user-based
> >  > authentication, so how would you pass that up to an application
> >  > and what good would it do?
> > 
> >    Well, for one thing it could prevent this attack. Isn't
> >    that enough? I'm aware that there may be situations
> >    where the two may differ, but there are probably 
> >    an equal number where identities are the same, so
> >    why should each application have to roll its own
> >    identity module in that case?
> > 
> > 		  Mike
> > 
> >  > 
> >  > -derek
> >  > 
> >  > Michael Thomas <mat@cisco.com> writes:
> >  > 
> >  > > I've had a nagging question for a long time which
> >  > > I'm hoping that somebody can shed some light on.
> >  > > 
> >  > > Suppose I have a linux box running Freeswan
> >  > > talking to a Solaris 8 box. Suppose also that we
> >  > > have a way to mutually authenticate each other at
> >  > > the IPsec level (pre-shared, certs, whatever).
> >  > > Suppose also that this is just a transport mode
> >  > > SA. Is there any API which prevents the following
> >  > > kind of attack?
> >  > > 
> >  > > Mike's-box		Server
> >  > > ------------------------------
> >  > > ----------------------------->
> >  > > IKE: DN=mike@mtcc.com
> >  > > 
> >  > > <-----------------------------
> >  > > IKE: DN=server@server.com
> >  > > 
> >  > > ----------------------------->
> >  > > SIP: INVITE 
> >  > > From: gwb@whitehouse.gov
> >  > > [...]
> >  > > 
> >  > > <-----------------------------
> >  > > 200 OK, George
> >  > > 
> >  > > 
> >  > > Ie, that I can authenticate myself for IPsec, but
> >  > > forge my credentials at L7. I would expect that
> >  > > there should be an API to get the credentials
> >  > > presented for IPsec back up to the app. My
> >  > > understanding is that Microsoft doesn't provide
> >  > > any kernel API at all, and I didn't immediately
> >  > > see anything in PFKEY, though I didn't look hard
> >  > > so feel free to flame me.
> >  > > 
> >  > > If there's not such an API, what was the reason?
> >  > > This would seem like a pretty heavy burden to
> >  > > recreate all of the identity machinery at the app
> >  > > level to cover this attack.
> >  > > 
> >  > > 	       Mike
> >  > 
> >  > -- 
> >  >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> >  >        Member, MIT Student Information Processing Board  (SIPB)
> >  >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
> >  >        warlord@MIT.EDU                        PGP key available
> 
> -- 
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available

-- 
Ramin Alidousti                                         ramin@UU.NET
Advanced Development                             tel +1 703 886 2640
UUNET, A WorldCom Company                        fax +1 703 886 0536


References: