RE: [Design] Re: Wes Hardaker: opportunistic encryption deploymen t problems

[Stephen Kent <kent@bbn.com>]

At 9:02 AM -0700 8/16/01, Michael Thomas wrote:
>Stephen Kent writes:
>  > At 10:32 AM -0700 8/15/01, Michael Thomas wrote:
>  > Mike,
>  >
>  > Your understanding is not quite right.  First, tunnel mode, while
>  > required for an SG, is also applicable to two hosts communicating.
>  > Second, IPsec supports authentication of symbolic names, not just IP
>  > addresses, which are dynamically bound to IP addresses for the
>  > duration of an SA. 
>
>    My understanding is that the reality is somewhat
>    different. For example, I don't believe that I
>    can have a credential which is bound to a SPI
>    which spans multiple IP addresses concurrently. As
>    such it would only provide a single layer of
>    indirection. Maybe the DNS modes provide some of
>    this functionality, but I have doubts as to how
>    well supported or secure it is.
>
>  > This is how we support connections from mobile
>  > users, for example.
>
>    Mobile nodes use their home address, right? So
>    it's not an issue.

some vendors have adopted that approach, but it is not a requirement 
and IPsec is prepared to deal with the more general case.

>
>  > The access control model that underlies IPsec is that one uses some
>  > means of authenticating a peer, e.g., via binding a signature key to
>  > an ID, traceable to a trust anchor, and that the traffic sent from
>  > and sent to the authenticated peer is subject to access controls
>  > expressed in the SPD. These controls apply not only to allowed IP
>  > addresses to/from which traffic may flow, but also protocols and port
>  > fields. The motivation for these other selectors is the same as in
>  > firewalls, i.e., we can control access to services based on access to
>  > well know ports.
>
>    Right... an authenticated firewall. That's pretty much
>    my understanding. This seems, well, of limited utility
>    for transport mode unless it can be tied to applications
>    (ie, in the same way that login names produce a mapping
>    to a GID/UID for file systems after login). Maybe I'm
>    just generally skeptical of integrated host firewalls
>    as being misguided, but that's probably just me.
>

In the context of a host it would be nice to have a standard API for 
applications to request IPsec services, this requires changes to the 
apps. the alternative is to configure the SPD to automatically 
provide the services, which is attractive as a centrally managed 
approach to security as well. there is no transport vs. tunnel mode 
distinction here, unless you're making the assumption that a host 
would only use transport mode. (this would be OK for host/host SAs, 
but it's not necessary and it doesn't work for host/SG SAs.)

Steve

---

References:

• RE: [Design] Re: Wes Hardaker: opportunistic encryption deployment problems
• From: Chris Trobridge <CTrobridge@baltimore.com>
• RE: [Design] Re: Wes Hardaker: opportunistic encryption deployment problems
• From: Michael Thomas <mat@cisco.com>
• RE: [Design] Re: Wes Hardaker: opportunistic encryption deploymen t problems
• From: Stephen Kent <kent@bbn.com>
• RE: [Design] Re: Wes Hardaker: opportunistic encryption deploymen t problems
• From: Michael Thomas <mat@cisco.com>

---

• Prev by Date: Re: Bakeoff summary
• Next by Date: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits of , i-cookie
• Prev by thread: RE: [Design] Re: Wes Hardaker: opportunistic encryption deploymen t problems
• Next by thread: RE: [Design] Re: Wes Hardaker: opportunistic encryption deploymen t problems
• Index(es):
  • Main
  • Thread