[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: application layer cross checking

To: Henry Spencer <henry@spsystems.net>
Subject: Re: application layer cross checking
From: Michael Thomas <mat@cisco.com>
Date: Thu, 3 May 2001 16:07:06 -0700 (PDT)
Cc: IP Security List <ipsec@lists.tislabs.com>
In-Reply-To: <Pine.BSI.3.91.1010503161208.20928G-100000@spsystems.net>
References: <15089.46235.12938.686570@thomasm-u1.cisco.com><Pine.BSI.3.91.1010503161208.20928G-100000@spsystems.net>
Sender: owner-ipsec@lists.tislabs.com

Henry Spencer writes:
 > On Thu, 3 May 2001, Michael Thomas wrote:
 > >    ...I'm aware that there may be situations
 > >    where the two may differ, but there are probably 
 > >    an equal number where identities are the same, so
 > >    why should each application have to roll its own
 > >    identity module in that case?
 > 
 > If the application is passing around its own identities, then it is
 > perfectly reasonable for the application to have its own means of
 > verifying them.

   I don't know about you, but I don't know many
   applications that actually do that. Even fewer
   which do that with strong authentication. The
   prospect of getting applications -- and their
   on the wire protocols -- to do the right thing
   here is, IMO, pretty dismal.

 > Even in your own example, note that IPsec works almost
 > entirely in terms of IP addresses, and the identity you're claiming it
 > should verify is based on a host *name*.  Not the same thing at all,
 > and the mapping between them is non-trivial.

   Well, explicit coupling of identity to IP
   addresses isn't exactly without its own set
   of problems (cf HIP, multihoming, mobility,
   etc). But I don't think we even need to raise
   _that_ spectre: if you're using a wildcarded
   rule on the incoming IP address for a
   particular destination port that it is 
   required to authenticate into a particular
   realm before it passes that access check, 
   being able check which credentials were
   *actually* passed to create the SA is nothing
   different than allowing recvfrom() to pass
   the incoming dst IP address as a means of identity.
   The stack, after all, doesn't care *what* the
   credentials name, it just wants to know whether
   to permit the traffic based upon the rule. 

 > What IPsec perhaps *should* have an API for, is for asking "how sure are
 > you that packets claiming to be from 10.20.30.40 are really from him?"
 > (or, perhaps better, to say "I'm opening a connection to 10.20.30.40,
 > please give me only packets that you are sure came from him").  It will
 > still be necessary, in general, for an application to do its own thinking
 > about what that assurance implies.

   I don't think this entirely disimilar to what
   I'm saying, though I don't think the IP address
   coupling is necessary to do what I'm thinking
   of. What I'm extremely skeptical of is having 
   each application re-create IKE and its kin.
   Ugh. You might as well just chuck IPsec
   altogether and use TLS. And chuck transport
   mode while you're at it.

	      Mike

Follow-Ups:

Re: application layer cross checking

From: ark@eltex.ru

References:

Re: application layer cross checking

From: Michael Thomas <mat@cisco.com>

Re: application layer cross checking

From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: application layer cross checking
Next by Date: Re: application layer cross checking
Prev by thread: Re: application layer cross checking
Next by thread: Re: application layer cross checking
Index(es):
- Main
- Thread