[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Design] Re: Wes Hardaker: opportunistic encryption deploymen t problems



Stephen Kent writes:
 > At 10:32 AM -0700 8/15/01, Michael Thomas wrote:
 > Mike,
 > 
 > Your understanding is not quite right.  First, tunnel mode, while 
 > required for an SG, is also applicable to two hosts communicating. 
 > Second, IPsec supports authentication of symbolic names, not just IP 
 > addresses, which are dynamically bound to IP addresses for the 
 > duration of an SA.  

   My understanding is that the reality is somewhat
   different. For example, I don't believe that I
   can have a credential which is bound to a SPI
   which spans multiple IP addresses concurrently. As
   such it would only provide a single layer of 
   indirection. Maybe the DNS modes provide some of
   this functionality, but I have doubts as to how
   well supported or secure it is.

 > This is how we support connections from mobile 
 > users, for example.

   Mobile nodes use their home address, right? So
   it's not an issue.

 > The access control model that underlies IPsec is that one uses some 
 > means of authenticating a peer, e.g., via binding a signature key to 
 > an ID, traceable to a trust anchor, and that the traffic sent from 
 > and sent to the authenticated peer is subject to access controls 
 > expressed in the SPD. These controls apply not only to allowed IP 
 > addresses to/from which traffic may flow, but also protocols and port 
 > fields. The motivation for these other selectors is the same as in 
 > firewalls, i.e., we can control access to services based on access to 
 > well know ports.
 
   Right... an authenticated firewall. That's pretty much
   my understanding. This seems, well, of limited utility
   for transport mode unless it can be tied to applications
   (ie, in the same way that login names produce a mapping
   to a GID/UID for file systems after login). Maybe I'm
   just generally skeptical of integrated host firewalls
   as being misguided, but that's probably just me.

      Mike


Follow-Ups: References: