[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: application layer cross checking
Stephen Kent writes:
> At 2:36 PM -0700 5/3/01, Michael Thomas wrote:
> >Derek Atkins writes:
> > > Because applications may not be ipsec peers... Or, in most cases,
> > > ipsec will be host-based, not user-based?
> >
> > This seems like a rather single user PC based
> > mentality. If we were running a multiuser timesharing
> > system, being able to supply credentials on a per
> > user basis would be rather necessary, no? Or
> > perhaps I have a smart card which does the
> > signatures which identifies me regardless of
> > which machine I'm using, etc, etc. I don't see
> > what prevents the SPD from having rules like
> > "for 5-tuple [a,b,c,d,e], demand credentials in
> > realm X" where those credentials might require
> > a human to insert a piece of hardware, or type
> > into a dialog box slapped up by the keying
> > daemon, or whatever.
>
> The SPD is a means of specifying access controls and security
> services for traffic at layer 3. It would be inappropriate to do
> what you suggest here.
[???]
What does that have to do with the means that
you supply those rules into the SPD, and checking
up on who was authenticated to those rules in
the SADB?
I can't believe you're seriously suggesting that
the SPD shouldn't be able to deal with rules like:
"to [src=*, dst=me, proto=UDP, sport=*, dport=1234]
method=EXTERNAL, callout=GetSmartCardSignFromLuser(),
realm=fOoThEFunLoVIngbAR".
This is purely a local implementation issue.
Likewise, an API which allows you to view the rule and
credentials which a particular SA authenticted with
-- or not -- is also purely a local implementation
issue.
How can that possibly be "inappropriate"? It's my
machine, after all.
Mike
Follow-Ups:
References: