[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MSEC] Re: multicast authentication using AH



At 04:39 PM 6/14/2001 -0600, you wrote:
>Well, maybe a small-brainer.

A new DOI for IKE?


>If there are multiple senders, then a recipient needs a cert from each
>of them.  Thus, the single SA with multiple keys.

I see.

Mark


>Hilarie
>
> >>> Mark Baugher <mbaugher@cisco.com> 06/14/01 04:27PM >>>
>So it might not be a no brainer to put digital signatures in ESP or AH.
>
>At 02:46 PM 6/13/2001 -0600, Hilarie Orman wrote:
> >Might also want to encode an ident somewhere.
>
>GDOI does this in its Phase 2.
>
>
> >Should there be an option for attaching a cert to the message,
> >or would you see that being done solely by key mgmt (group mgr
> >would multicast sender certs to the group)?
>
>GDOI does this as part of its key management over pairwise and
>multicast connections.
>
>
> >Maintaining many certs does complicate SA mgmt, it's like having
> >many keys/SA.
>
>I don't think having multiple authorizations, such as to belong to
>multiple groups, requires having a unique signature key for each
>authorization.
>
>Mark
>
>
> >Hilarie
> >
> > >>> Dan McDonald <danmcd@East.Sun.COM> 06/13/01 08:14AM >>>
> > > > > AH SHOULD HAVE supported authentication with digital signatures.
> > > >
> > > >There's nothing, I believe, about AH that prevents digital 
> signatures from
> > > >being used.
> > > >
> > > >The Authentication Data area can be made up to 1016 bytes (just shy of
> > > >8kbits) per 2402.  That should be plenty of room for a digital 
> signature.
> > > >
> > > >Dan
> > >
> > > How is this signalled?
> >
> >It's part of the IPsec Security Association data.  Per 2401, an SA is 
> indexed
> >by the tuple <AH, SPI, IP destination address>.  When you add the 
> appropriate
> >SA, you get all sorts of data, including the algorithm.
> >
> >All one would need to do is write a new "algorithm document" for using a
> >digital signature with AH.  It shouldn't be tough, and if I had cycles 
> (HAH!)
> >I could easily prototype one in Solaris.
> >
> >Dan
>
>
>_______________________________________________
>msec mailing list
>msec@securemulticast.org
>http://www.pairlist.net/mailman/listinfo/msec