[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: application layer cross checking
-----BEGIN PGP SIGNED MESSAGE-----
nuqneH,
The API should make things easier to control: you can tell your application
to, say, "allow reusable passwords if your link is protected with reasonable
crypto" or something - instead of configuring trusted ip address range and
configuring policy for those addresses.
Afair there was a feature like that in cisco pix ;)
Michael Thomas <mat@cisco.com> said :
> > Even in your own example, note that IPsec works almost
> > entirely in terms of IP addresses, and the identity you're claiming it
> > should verify is based on a host *name*. Not the same thing at all,
> > and the mapping between them is non-trivial.
>
> Well, explicit coupling of identity to IP
> addresses isn't exactly without its own set
> of problems (cf HIP, multihoming, mobility,
> etc). But I don't think we even need to raise
> _that_ spectre: if you're using a wildcarded
> rule on the incoming IP address for a
> particular destination port that it is
> required to authenticate into a particular
> realm before it passes that access check,
> being able check which credentials were
> *actually* passed to create the SA is nothing
> different than allowing recvfrom() to pass
> the incoming dst IP address as a means of identity.
> The stack, after all, doesn't care *what* the
> credentials name, it just wants to know whether
> to permit the traffic based upon the rule.
>
> > What IPsec perhaps *should* have an API for, is for asking "how sure are
> > you that packets claiming to be from 10.20.30.40 are really from him?"
> > (or, perhaps better, to say "I'm opening a connection to 10.20.30.40,
> > please give me only packets that you are sure came from him"). It will
> > still be necessary, in general, for an application to do its own thinking
> > about what that assurance implies.
>
> I don't think this entirely disimilar to what
> I'm saying, though I don't think the IP address
> coupling is necessary to do what I'm thinking
> of. What I'm extremely skeptical of is having
> each application re-create IKE and its kin.
> Ugh. You might as well just chuck IPsec
> altogether and use TLS. And chuck transport
> mode while you're at it.
_ _ _ _ _ _ _
{::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_
(##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_|
[||] [||] [||] Do i believe in Bible? Hell,man,i've seen one!
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQCVAwUBOvJ2f6H/mIJW9LeBAQEELAP/fCtHnBWxvUIUwgQkdP7rQJ4+Yq0eBrw/
erDy1kNudOdXCMVI7Y6XTqb9OoLNBPiVqFt/RlpXy0qvK2TH+BQGGt18P3k/IJwR
YzmkqGKsQEj2kuR7QoSs4iOWWZfHL8z57jm86qSjFuQRn6sFjc4ca3uMmuWB+/Xh
HoVbS4XqIc4=
=qHGs
-----END PGP SIGNATURE-----
References: