Re: [MSEC] Re: multicast authentication using AH

[Mark Baugher <mbaugher@cisco.com>]

So it might not be a no brainer to put digital signatures in ESP or AH.

At 02:46 PM 6/13/2001 -0600, Hilarie Orman wrote:
>Might also want to encode an ident somewhere.

GDOI does this in its Phase 2.


>Should there be an option for attaching a cert to the message,
>or would you see that being done solely by key mgmt (group mgr
>would multicast sender certs to the group)?

GDOI does this as part of its key management over pairwise and
multicast connections.


>Maintaining many certs does complicate SA mgmt, it's like having
>many keys/SA.

I don't think having multiple authorizations, such as to belong to
multiple groups, requires having a unique signature key for each
authorization.

Mark


>Hilarie
>
> >>> Dan McDonald <danmcd@East.Sun.COM> 06/13/01 08:14AM >>>
> > > > AH SHOULD HAVE supported authentication with digital signatures.
> > >
> > >There's nothing, I believe, about AH that prevents digital signatures from
> > >being used.
> > >
> > >The Authentication Data area can be made up to 1016 bytes (just shy of
> > >8kbits) per 2402.  That should be plenty of room for a digital signature.
> > >
> > >Dan
> >
> > How is this signalled?
>
>It's part of the IPsec Security Association data.  Per 2401, an SA is indexed
>by the tuple <AH, SPI, IP destination address>.  When you add the appropriate
>SA, you get all sorts of data, including the algorithm.
>
>All one would need to do is write a new "algorithm document" for using a
>digital signature with AH.  It shouldn't be tough, and if I had cycles (HAH!)
>I could easily prototype one in Solaris.
>
>Dan

---

• Prev by Date: Re: IPSEC Security Gateways & NAT
• Next by Date: Re: [MSEC] Re: multicast authentication using AH
• Prev by thread: Re: [MSEC] Re: multicast authentication using AH
• Next by thread: Re: [MSEC] Re: multicast authentication using AH
• Index(es):
  • Main
  • Thread