[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: application layer cross checking
Henry Spencer writes:
> On Thu, 3 May 2001, Michael Thomas wrote:
> > ...I'm aware that there may be situations
> > where the two may differ, but there are probably
> > an equal number where identities are the same, so
> > why should each application have to roll its own
> > identity module in that case?
>
> If the application is passing around its own identities, then it is
> perfectly reasonable for the application to have its own means of
> verifying them.
I don't know about you, but I don't know many
applications that actually do that. Even fewer
which do that with strong authentication. The
prospect of getting applications -- and their
on the wire protocols -- to do the right thing
here is, IMO, pretty dismal.
> Even in your own example, note that IPsec works almost
> entirely in terms of IP addresses, and the identity you're claiming it
> should verify is based on a host *name*. Not the same thing at all,
> and the mapping between them is non-trivial.
Well, explicit coupling of identity to IP
addresses isn't exactly without its own set
of problems (cf HIP, multihoming, mobility,
etc). But I don't think we even need to raise
_that_ spectre: if you're using a wildcarded
rule on the incoming IP address for a
particular destination port that it is
required to authenticate into a particular
realm before it passes that access check,
being able check which credentials were
*actually* passed to create the SA is nothing
different than allowing recvfrom() to pass
the incoming dst IP address as a means of identity.
The stack, after all, doesn't care *what* the
credentials name, it just wants to know whether
to permit the traffic based upon the rule.
> What IPsec perhaps *should* have an API for, is for asking "how sure are
> you that packets claiming to be from 10.20.30.40 are really from him?"
> (or, perhaps better, to say "I'm opening a connection to 10.20.30.40,
> please give me only packets that you are sure came from him"). It will
> still be necessary, in general, for an application to do its own thinking
> about what that assurance implies.
I don't think this entirely disimilar to what
I'm saying, though I don't think the IP address
coupling is necessary to do what I'm thinking
of. What I'm extremely skeptical of is having
each application re-create IKE and its kin.
Ugh. You might as well just chuck IPsec
altogether and use TLS. And chuck transport
mode while you're at it.
Mike
Follow-Ups:
References: