[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Choosing between IKEv2 and JFK

To: Michael Thomas <mat@cisco.com>
Subject: Re: Choosing between IKEv2 and JFK
From: Derek Atkins <derek@ihtfp.com>
Date: 08 Mar 2002 10:00:43 -0500
Cc: "Angelos D. Keromytis" <angelos@cs.columbia.edu>, Jan Vilhuber <vilhuber@cisco.com>, ipsec@lists.tislabs.com
In-Reply-To: <15495.61112.901790.504193@thomasm-u1.cisco.com>
References: <Pine.LNX.4.33.0203061749030.9043-100000@janpc-home.cisco.com><200203071814.g27IEpUf021438@nyarlathotep.keromytis.org><15495.61112.901790.504193@thomasm-u1.cisco.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

Michael Thomas <mat@cisco.com> writes:

>    Huh? The certs are only there for identity. If I 
>    want to have two different SA's so I get differential
>    queuing treatment, there's nothing that says that I
>    need two different identities. I just change the
>    traffic selectors. This isn't any different than
>    RSVP flow selectors and queuing treatment.

No, in reality the certs are there for authorization.  It's just that
people don'e understand the concept of capabilities, so we have this
ad-hoc "identity" cert and map it via some local lookup method to a
set of capabilities.

You receive an "identity" cert, validate the cert, validate that the
message is authentic using this cert, and then you lookup the
capabilities of this "identity" to validate the authorization for the
requested operation.

In terms of different flow selectors, it is perfectly reasonable to
say that each flow requires its own certificate specifying the
capability of that particular flow.  Similarly, you could specify an
"identity" that is capable of both flows.

The problem with using identity for capability verification is that
there is no way of knowing _which_ capability actually applies to any
situation.  You have to depend on the user requesting the appropriate
flow characteristics, but unless there is a real-world cost associated
with that choice, what incentive does the user have?

For example, if I could use my personal cert to specify a normal
connection or a high-QoS connection and the costs to me were the same,
why wouldn't I specify the high-QoS connection all the time?  OTOH, if
there were clearly different certificates for teh two capabilities,
then you could restrict access to the different certs.

Basically, I'm saying that you are both right -- you are just coming
from very different viewpoints.  However neither is wrong.

> 	     Mike

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

Follow-Ups:
- Re: Choosing between IKEv2 and JFK
  - From: Jan Vilhuber <vilhuber@cisco.com>
- Re: Choosing between IKEv2 and JFK
  - From: Uri Blumenthal <uri@bell-labs.com>

References:
- Re: Choosing between IKEv2 and JFK
  - From: Jan Vilhuber <vilhuber@cisco.com>
- Re: Choosing between IKEv2 and JFK
  - From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>
- Re: Choosing between IKEv2 and JFK
  - From: Michael Thomas <mat@cisco.com>

Prev by Date: I-D ACTION:draft-ietf-ipsec-jfk-01.txt
Next by Date: Re: Choosing between IKEv2 and JFK
Prev by thread: Re: Choosing between IKEv2 and JFK
Next by thread: Re: Choosing between IKEv2 and JFK
Index(es):
- Date
- Thread