[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: application layer cross checking
At 12:52 PM 5/3/01 -0700, Michael Thomas wrote:
>Derek Atkins writes:
> > Because applications may not be ipsec peers... Or, in most cases,
> > ipsec will be host-based, not user-based?
>
> What's the difference? Why shouldn't I be able to
> tell the socket layer which identity I want it
> to use for a particular 5-tuple, and the receiving
> end be able to verify that, including the application
> layer being able to cross check?
>
> If you can't do that, it sure seems like transport
> mode is severely hamstrung. As in, why bother?
Aren't there more hardware acceleration products available for use with
IPSEC vs. doing data encryption at the application layer?
Jonathan
>
> Mike
>
> >
> > -derek
> >
> > Michael Thomas <mat@cisco.com> writes:
> >
> > > Derek Atkins writes:
> > > > There is (currently) no API available to do what you want.
> > > > One reason is that IPSec authentication need not be user-based
> > > > authentication, so how would you pass that up to an application
> > > > and what good would it do?
> > >
> > > Well, for one thing it could prevent this attack. Isn't
> > > that enough? I'm aware that there may be situations
> > > where the two may differ, but there are probably
> > > an equal number where identities are the same, so
> > > why should each application have to roll its own
> > > identity module in that case?
> > >
> > > Mike
> > >
> > > >
> > > > -derek
> > > >
> > > > Michael Thomas <mat@cisco.com> writes:
> > > >
> > > > > I've had a nagging question for a long time which
> > > > > I'm hoping that somebody can shed some light on.
> > > > >
> > > > > Suppose I have a linux box running Freeswan
> > > > > talking to a Solaris 8 box. Suppose also that we
> > > > > have a way to mutually authenticate each other at
> > > > > the IPsec level (pre-shared, certs, whatever).
> > > > > Suppose also that this is just a transport mode
> > > > > SA. Is there any API which prevents the following
> > > > > kind of attack?
> > > > >
> > > > > Mike's-box Server
> > > > > ------------------------------
> > > > > ----------------------------->
> > > > > IKE: DN=mike@mtcc.com
> > > > >
> > > > > <-----------------------------
> > > > > IKE: DN=server@server.com
> > > > >
> > > > > ----------------------------->
> > > > > SIP: INVITE
> > > > > From: gwb@whitehouse.gov
> > > > > [...]
> > > > >
> > > > > <-----------------------------
> > > > > 200 OK, George
> > > > >
> > > > >
> > > > > Ie, that I can authenticate myself for IPsec, but
> > > > > forge my credentials at L7. I would expect that
> > > > > there should be an API to get the credentials
> > > > > presented for IPsec back up to the app. My
> > > > > understanding is that Microsoft doesn't provide
> > > > > any kernel API at all, and I didn't immediately
> > > > > see anything in PFKEY, though I didn't look hard
> > > > > so feel free to flame me.
> > > > >
> > > > > If there's not such an API, what was the reason?
> > > > > This would seem like a pretty heavy burden to
> > > > > recreate all of the identity machinery at the app
> > > > > level to cover this attack.
> > > > >
> > > > > Mike
> > > >
> > > > --
> > > > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > > > Member, MIT Student Information Processing Board (SIPB)
> > > > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> > > > warlord@MIT.EDU PGP key available
> >
> > --
> > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > Member, MIT Student Information Processing Board (SIPB)
> > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> > warlord@MIT.EDU PGP key available
References: