[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: addresses and IKEv2

To: Stephen Kent <kent@bbn.com>
Subject: Re: addresses and IKEv2
From: Alex Alten <Alten@attbi.com>
Date: Fri, 24 May 2002 16:43:56 -0700
Cc: ipsec@lists.tislabs.com
In-Reply-To: <p05100303b913fc24c5a8@[128.89.88.34]>
References: <3.0.3.32.20020523222844.0139a9d8@mail><3.0.3.32.20020517163806.013cc950@mail><3.0.3.32.20020517110546.013cbfc0@mail><3.0.3.32.20020517110546.013cbfc0@mail><3.0.3.32.20020517163806.013cc950@mail><3.0.3.32.20020523222844.0139a9d8@mail>
Sender: owner-ipsec@lists.tislabs.com

Steve,

I'm not talking about a host's local database.  We need a way to uniquely
AND SECURELY identify any host worldwide from any other host.  You don't 
want to replicate this information to every host, you'd have over 100 million
entries to distribute to each one!

I like DNS too, a nice simple hierarchy, it is easy to uniquely name hosts,
and a simple distributed model for managing the address space. But it has a 
crippling drawback from a security perspective.  A DNS name cannot be any
better
at identifying a host than it's resolved IP address.  And we know how
ephemeral IP addresses can be given the rise of DHCP and NAT.  The only
secure way to absolutely identify a host is to assign it a (randomly) unique
crypto key.  But before you can pull the correct key (RSA or AES) you need to
find it.  For this you need a unique number that doesn't keep being changed
underneath you.  So unfortunately DNS doesn't make the cut.  No amount of
wishful
thinking is going to make it work properly for us.

To reiterate my position: IPsec needs to have a global, secure address space
that uniquely identifies every participating host.  It needs to be simple to
understand, distributable, and easy to manage.  And it needs to be able to
dynamically map into the IP address space on demand, including private
network non-routable addresses.

That's the requirements as I see them.  Anything less than this means
you can't use IPsec unencumbered across the Internet.

- Alex

At 10:24 AM 5/24/2002 -0400, Stephen Kent wrote:
>Alex,
>
>>Steve,
>>
>>On the surface using a global name space like DNS seems like a good
>>idea.  But the fundamental problem is that a DNS name maps to an IP
>>address which is already a slippery beast.  Also not every IP address
>>has a corresponding DNS name.  And a DNS name can map to multiple IP
>>addresses.  So the certificate binding of a DNS name to a Public Key is
>>not a practical approach.  A X.500 DN is even worse, except for LDAP
>>trees, it is hardly used.
>
>In IKE, the mapping between any symbolic name and an IP address is 
>dynamic, so when this sort of symbolic name use is appropriate for 
>locally administered access control (via the SPD), the problems your 
>cite here do  not seem to arise.
>
>>A much better approach is to have a large, global numerical address space.
>>Each host then is assigned a unique security address from this space.  IP
>>addresses can flit in and out of existence for a host, but it's security
>>address remains fixed, a least for the duration between enrollment and
>>revocation in an "IPsec global system".  If one can reliably assign a
>>unique number to each host, then it can be used to look up the
authentication
>>key in a secure database to verify that indeed a particular host is assigned
>>that number.  Once you can rely on this number, effectively a global host
id,
>>it is much more practical to automate the setting up of a VPN between two
>>hosts, even in the context of Mobile IP or through a NAT or even between two
>>different organizations.
>
>I disagree. Experience has shown that access control systems are very 
>much prone to human error when new forms of ID are introduced that 
>are not readily understood by the people managing these systems. We 
>are comfortable with DNS names, so DNS names are appropriate here. 
>DNs are more descriptive in some contexts, and some people are 
>comfortable with them, so they are appropriate in some contexts as 
>well. A new set of globally unique, numerical IDs will be alien to 
>everyone and will require mapping to some form of name that people do 
>relate to, and the creation of that mapping will introduce errors.
>
>>It seems to me that until the issue of how to effectively identify hosts and
>>manage the resulting address space is agreed upon all the IKEs and JFKs
>>will be failures.  Or at best they will only be a way to automate the key
>>suite
>>negotiation between two hosts (or VPN gateways), thus providing just a
modest
>>advantage over the manual keying that dominates IPsec VPN setup today.
>
>I don't see your point. End users and system administrators already 
>make use of the DNS to identify the vast majority of hosts, because 
>this is the way that we refer to these hosts in our applications. 
>Thus it makes sense to retain that way of identifying hosts in access 
>control systems, to minimize confusion.
>
>Steve
>
--

Alex Alten
Alten@ATTBI.com

Follow-Ups:
- Re: addresses and IKEv2
  - From: Ken Brown <k.brown@ccs.bbk.ac.uk>
- Re: addresses and IKEv2
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>
- Re: addresses and IKEv2
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: RE: WG LAST CALL: draft-ietf-ipsec-ike-modp-groups-04.txt
Next by Date: Re: Specification of tunnel/transport attribute in IKEv2
Prev by thread: Re: addresses and IKEv2
Next by thread: Re: addresses and IKEv2
Index(es):
- Date
- Thread