[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: application layer cross checking

To: mat@cisco.com
Subject: Re: application layer cross checking
From: ark@eltex.ru
Date: Fri, 4 May 2001 13:29:35 +0400
Cc: henry@spsystems.net, ipsec@lists.tislabs.com
In-Reply-To: <15089.58522.581761.599193@thomasm-u1.cisco.com> from "Michael Thomas <mat@cisco.com>"
Organization: "Klingon Imperial Intelligence Service"
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

The API should make things easier to control: you can tell your application
to, say, "allow reusable passwords if your link is protected with reasonable
crypto" or something - instead of configuring trusted ip address range and 
configuring policy for those addresses.

Afair there was a feature like that in cisco pix ;)


Michael Thomas <mat@cisco.com> said :

 >  > Even in your own example, note that IPsec works almost
 >  > entirely in terms of IP addresses, and the identity you're claiming it
 >  > should verify is based on a host *name*.  Not the same thing at all,
 >  > and the mapping between them is non-trivial.
 > 
 >    Well, explicit coupling of identity to IP
 >    addresses isn't exactly without its own set
 >    of problems (cf HIP, multihoming, mobility,
 >    etc). But I don't think we even need to raise
 >    _that_ spectre: if you're using a wildcarded
 >    rule on the incoming IP address for a
 >    particular destination port that it is 
 >    required to authenticate into a particular
 >    realm before it passes that access check, 
 >    being able check which credentials were
 >    *actually* passed to create the SA is nothing
 >    different than allowing recvfrom() to pass
 >    the incoming dst IP address as a means of identity.
 >    The stack, after all, doesn't care *what* the
 >    credentials name, it just wants to know whether
 >    to permit the traffic based upon the rule. 
 > 
 >  > What IPsec perhaps *should* have an API for, is for asking "how sure are
 >  > you that packets claiming to be from 10.20.30.40 are really from him?"
 >  > (or, perhaps better, to say "I'm opening a connection to 10.20.30.40,
 >  > please give me only packets that you are sure came from him").  It will
 >  > still be necessary, in general, for an application to do its own thinking
 >  > about what that assurance implies.
 > 
 >    I don't think this entirely disimilar to what
 >    I'm saying, though I don't think the IP address
 >    coupling is necessary to do what I'm thinking
 >    of. What I'm extremely skeptical of is having 
 >    each application re-create IKE and its kin.
 >    Ugh. You might as well just chuck IPsec
 >    altogether and use TLS. And chuck transport
 >    mode while you're at it.

                                      _     _  _  _  _      _  _
  {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
  (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
  [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQCVAwUBOvJ2f6H/mIJW9LeBAQEELAP/fCtHnBWxvUIUwgQkdP7rQJ4+Yq0eBrw/
erDy1kNudOdXCMVI7Y6XTqb9OoLNBPiVqFt/RlpXy0qvK2TH+BQGGt18P3k/IJwR
YzmkqGKsQEj2kuR7QoSs4iOWWZfHL8z57jm86qSjFuQRn6sFjc4ca3uMmuWB+/Xh
HoVbS4XqIc4=
=qHGs
-----END PGP SIGNATURE-----

References:

Re: application layer cross checking

From: Michael Thomas <mat@cisco.com>

Prev by Date: Re: application layer cross checking
Next by Date: Re: application layer cross checking
Prev by thread: Re: application layer cross checking
Next by thread: Re: application layer cross checking
Index(es):
- Main
- Thread