[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Public Keys to initiate IPsec.

To: "Stephen Kent" <kent@bbn.com>
Subject: RE: Public Keys to initiate IPsec.
From: "Eric Nielsen" <Eric.Nielsen@sylantro.com>
Date: Mon, 3 Jun 2002 18:37:06 -0700
cc: "'ipsec@lists.tislabs.com '" <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com

Steve,

We build a call control application using MGCP.
IPsec is the standard for securing MGCP in RFC 2705.
The RFC says nothing about what that really means.

Our call control agent receives only MGCP on specific
UDP ports. Each MGCP endpoint has a name, similar to
a SIP URI. The name is the key to all actions that
are invoked, what keys are used, etc.

The endpoint name is in the header of MGCP message,
but I need to relate it to the secure communications.
I cannot allow one trusted endpoint to spoof another,
and I cannot control IP addresses for endpoint devices.

And of course, if the power goes out, I need to provide
service to huge numbers of endpoints without spending
all of the server's resources re-setting up security 
associations.

Encryption is not necessary. It looks like transport 
mode AH with aggressive mode IKE is the direction I am 
heading. I am now trying to connect the ISAKMP id_key_id 
parameter to my application settings. Somehow get the
endpointname == id_key_id, use that to look up the key.

In the end, this is a multi-vendor effort, so I must stay
within accepted standards yet meet some high performance
and simple administration requirements.

Eric




-----Original Message-----
From: Stephen Kent [mailto:kent@bbn.com]
Sent: Monday, June 03, 2002 3:59 PM
To: Eric Nielsen
Cc: 'ipsec@lists.tislabs.com '
Subject: RE: Public Keys to initiate IPsec.


Eric,

It sounds like you want to assign some name to an app that will be 
meaningful to folks trying to reach a set of apps, and which can be 
configured into the SPDs to the clients trying to reach the apps. 
Presumably this is for IPsec implementations in end systems, not 
gateways. Is there some way for a client to assert which app it is 
trying to contact, or is the client restructed to contacting only 
those apps that are listed in its SPD? Absent one or the other of 
these measures it seems unlikely that IPsec can control access (from 
the client perspective) in a meaningful way. You've explained some 
things about mechanisms constraints, but I'm not sure I understand 
the security goals of using Ipsec here, which makes it hard to figure 
out what solutions might be applicable.


Steve

Follow-Ups:
- Re: Public Keys to initiate IPsec.
  - From: Tero Kivinen <kivinen@ssh.fi>
- RE: Public Keys to initiate IPsec.
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: RE: Specification of tunnel/transport attribute in IKEv2
Next by Date: Re: addresses and IKEv2
Prev by thread: RE: Public Keys to initiate IPsec.
Next by thread: Re: Public Keys to initiate IPsec.
Index(es):
- Date
- Thread