[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why can't ESP authenticate IP header?
Stephen Kent writes:
> >In fact, I'll bet what's really lurking here is
> >the desire to have application layer cross
> >checking since what you're effectively doing is
> >providing a (weak) check to filter out
> >authenticated but unauthorized traffic (ie,
> >filtering crypto protected source spoofing).
> >
> Mike,
>
> I would not characterize this as "application layer cross
> checking."
Nor would I. At best, it's a substitute for
application layer cross checking which does
not exist.
> Access control is the motivation for this check, and it is consistent
> with the principle of least privilege. We have many examples of
> systems that have been vulnerable because they made the assumption
> that everyone peer is "trusted."
Sure. That's why applications need the ability get
access to credentials when available. Enforcing
source address to SA foils exactly one attack but
leaves you completely vulnerable to any number of
attacks with the higher layer protocols which have
no clue whether the credentials presented at the
IP layer disagree with the identities presented at
the application layer. Also: as I mentioned, binding
to the source IP address makes multi-homing, mobility,
and renumbering problematic.
> We often hear folks use this sort of
> terminology in discussing IPsec SAs. A compliant IPsec
> implementation, using the SPD, expresses access control constraints
> on all communication that passes through it. The check performed by a
> receiver after IPsec processing ensures that no peer can violate the
> access control parameters that characterize the SA carrying traffic
> from that peer. This is just good security engineering.
Good security engineering needs to consider the
whole system. If I can use strong credentials at
one layer and weak credentials at another, the
system is as strong as the weak credentials. For
many protocols, IPsec is about the only answer if
you want strong credentials any time soon (TLS isn't
currently viable if you want to use UDP).
What we have right now, however, is a return to the
past for those applications where you can be pretty
sure about their source IP address, but have to resort
reverse DNS mappings (and their well known weaknesses)
or worse to have any ability to cross check the
asserted identity in, say, a SIP or SMTP message.
> Yes, the
> traffic has passed a cryptographic data origin authentication check,
> but a failure to perform this check would undermine the access
> control features. Relative to the stated goals, the check is not
> "weak;" it is precise.
Hamfisted is closer to the truth. ACL based security
is better than nothing, but it is both crude and weak
in comparison to a well integrated system with strong
authentication throughout the layers.
Mike
Follow-Ups:
References: