[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Design] Re: Wes Hardaker: opportunistic encryption deploymen t problems
Stephen Kent writes:
> At 10:32 AM -0700 8/15/01, Michael Thomas wrote:
> Mike,
>
> Your understanding is not quite right. First, tunnel mode, while
> required for an SG, is also applicable to two hosts communicating.
> Second, IPsec supports authentication of symbolic names, not just IP
> addresses, which are dynamically bound to IP addresses for the
> duration of an SA.
My understanding is that the reality is somewhat
different. For example, I don't believe that I
can have a credential which is bound to a SPI
which spans multiple IP addresses concurrently. As
such it would only provide a single layer of
indirection. Maybe the DNS modes provide some of
this functionality, but I have doubts as to how
well supported or secure it is.
> This is how we support connections from mobile
> users, for example.
Mobile nodes use their home address, right? So
it's not an issue.
> The access control model that underlies IPsec is that one uses some
> means of authenticating a peer, e.g., via binding a signature key to
> an ID, traceable to a trust anchor, and that the traffic sent from
> and sent to the authenticated peer is subject to access controls
> expressed in the SPD. These controls apply not only to allowed IP
> addresses to/from which traffic may flow, but also protocols and port
> fields. The motivation for these other selectors is the same as in
> firewalls, i.e., we can control access to services based on access to
> well know ports.
Right... an authenticated firewall. That's pretty much
my understanding. This seems, well, of limited utility
for transport mode unless it can be tied to applications
(ie, in the same way that login names produce a mapping
to a GID/UID for file systems after login). Maybe I'm
just generally skeptical of integrated host firewalls
as being misguided, but that's probably just me.
Mike
Follow-Ups:
References: