Re: Why can't ESP authenticate IP header?

[Michael Thomas <mat@cisco.com>]

Stephen Kent writes:
 > >In fact, I'll bet what's really lurking here is
 > >the desire to have application layer cross
 > >checking since what you're effectively doing is
 > >providing a (weak) check to filter out
 > >authenticated but unauthorized traffic (ie,
 > >filtering crypto protected source spoofing).
 > >
 > Mike,
 > 
 > I would not characterize this as "application layer cross
 > checking."

   Nor would I. At best, it's a substitute for 
   application layer cross checking which does
   not exist.

 > Access control is the motivation for this check, and it is consistent 
 > with the principle of least privilege. We have many examples of 
 > systems that have been vulnerable because they made the assumption 
 > that everyone peer is "trusted." 

   Sure. That's why applications need the ability get
   access to credentials when available. Enforcing
   source address to SA foils exactly one attack but
   leaves you completely vulnerable to any number of
   attacks with the higher layer protocols which have
   no clue whether the credentials presented at the
   IP layer disagree with the identities presented at
   the application layer. Also: as I mentioned, binding
   to the source IP address makes multi-homing, mobility,
   and renumbering problematic.

 > We often hear folks use this sort of 
 > terminology in discussing IPsec SAs.  A compliant IPsec 
 > implementation, using the SPD, expresses access control constraints 
 > on all communication that passes through it. The check performed by a 
 > receiver after IPsec processing ensures that no peer can violate the 
 > access control parameters that characterize the SA carrying traffic 
 > from that peer. This is just good security engineering.  

   Good security engineering needs to consider the 
   whole system. If I can use strong credentials at
   one layer and weak credentials at another, the 
   system is as strong as the weak credentials. For
   many protocols, IPsec is about the only answer if
   you want strong credentials any time soon (TLS isn't
   currently viable if you want to use UDP).

   What we have right now, however, is a return to the
   past for those applications where you can be pretty
   sure about their source IP address, but have to resort
   reverse DNS mappings (and their well known weaknesses)
   or worse to have any ability to cross check the
   asserted identity in, say, a SIP or SMTP message.

 > Yes, the 
 > traffic has passed a cryptographic data origin authentication check, 
 > but a failure to perform this check would undermine the access 
 > control features. Relative to the stated goals, the check is not 
 > "weak;" it is precise.

   Hamfisted is closer to the truth. ACL based security
   is better than nothing, but it is both crude and weak
   in comparison to a well integrated system with strong
   authentication throughout the layers.

		  Mike

---

Follow-Ups:

• Re: Why can't ESP authenticate IP header?
• From: Stephen Kent <kent@bbn.com>

References:

• Re: Why can't ESP authenticate IP header?
• From: "john ipsec" <ipsec123@hotmail.com>
• Re: Why can't ESP authenticate IP header?
• From: Dan McDonald <danmcd@East.Sun.COM>
• Re: Why can't ESP authenticate IP header?
• From: Michael Thomas <mat@cisco.com>
• Re: Why can't ESP authenticate IP header?
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: Re: Why can't ESP authenticate IP header?
• Next by Date: Re: Why can't ESP authenticate IP header?
• Prev by thread: Re: Why can't ESP authenticate IP header?
• Next by thread: Re: Why can't ESP authenticate IP header?
• Index(es):
  • Main
  • Thread