[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: application layer cross checking



I've been thinking about this and I think now I understand what
you're suggesting (sorry for the delay ;-).

On the server you say:

L3: if the remote IP is x.y.z.t
L4: if the local service is xyz
L7: if the remote user is abc

then I accept the connection or in other words: this SPI implies the
above. Is this what you suggested? If that's the case, I agree and
it even doesn't have to be a "transport mode only" thing.

However, I still don't get all the buzz about the API's.

Ramin


On Thu, May 03, 2001 at 11:55:51AM -0700, Michael Thomas wrote:

> 
> 
> I've had a nagging question for a long time which
> I'm hoping that somebody can shed some light on.
> 
> Suppose I have a linux box running Freeswan
> talking to a Solaris 8 box. Suppose also that we
> have a way to mutually authenticate each other at
> the IPsec level (pre-shared, certs, whatever).
> Suppose also that this is just a transport mode
> SA. Is there any API which prevents the following
> kind of attack?
> 
> Mike's-box		Server
> ------------------------------
> ----------------------------->
> IKE: DN=mike@mtcc.com
> 
> <-----------------------------
> IKE: DN=server@server.com
> 
> ----------------------------->
> SIP: INVITE 
> From: gwb@whitehouse.gov
> [...]
> 
> <-----------------------------
> 200 OK, George
> 
> 
> Ie, that I can authenticate myself for IPsec, but
> forge my credentials at L7. I would expect that
> there should be an API to get the credentials
> presented for IPsec back up to the app. My
> understanding is that Microsoft doesn't provide
> any kernel API at all, and I didn't immediately
> see anything in PFKEY, though I didn't look hard
> so feel free to flame me.
> 
> If there's not such an API, what was the reason?
> This would seem like a pretty heavy burden to
> recreate all of the identity machinery at the app
> level to cover this attack.
> 
> 	       Mike


References: