[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MSEC] Re: multicast authentication using AH

To: <mbaugher@cisco.com>, <danmcd@East.Sun.COM>
Subject: Re: [MSEC] Re: multicast authentication using AH
From: "Hilarie Orman" <HORMAN@volera.com>
Date: Wed, 13 Jun 2001 14:46:14 -0600
Cc: <ipsec@lists.tislabs.com>, <msec@securemulticast.org>
Sender: owner-ipsec@lists.tislabs.com

Might also want to encode an ident somewhere.

Should there be an option for attaching a cert to the message,
or would you see that being done solely by key mgmt (group mgr
would multicast sender certs to the group)?

Maintaining many certs does complicate SA mgmt, it's like having
many keys/SA.

Hilarie

>>> Dan McDonald <danmcd@East.Sun.COM> 06/13/01 08:14AM >>>
> > > AH SHOULD HAVE supported authentication with digital signatures.
> >
> >There's nothing, I believe, about AH that prevents digital signatures from
> >being used.
> >
> >The Authentication Data area can be made up to 1016 bytes (just shy of
> >8kbits) per 2402.  That should be plenty of room for a digital signature.
> >
> >Dan
> 
> How is this signalled?

It's part of the IPsec Security Association data.  Per 2401, an SA is indexed
by the tuple <AH, SPI, IP destination address>.  When you add the appropriate
SA, you get all sorts of data, including the algorithm.

All one would need to do is write a new "algorithm document" for using a
digital signature with AH.  It shouldn't be tough, and if I had cycles (HAH!)
I could easily prototype one in Solaris.

Dan

Prev by Date: Re: MTU and IPSec VPN's
Next by Date: Fwd: Re: IPSEC Security Gateways & NAT
Prev by thread: RE: MTU and IPSec VPN's
Next by thread: Re: [MSEC] Re: multicast authentication using AH
Index(es):
- Main
- Thread