[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Public Keys to initiate IPsec.

To: "Eric Nielsen" <Eric.Nielsen@sylantro.com>
Subject: RE: Public Keys to initiate IPsec.
From: Stephen Kent <kent@bbn.com>
Date: Tue, 4 Jun 2002 17:41:38 -0400
Cc: "'ipsec@lists.tislabs.com '" <ipsec@lists.tislabs.com>
In-Reply-To: <79FEAA5FABA7D411BF580001023D1BBD0174ABA7@mailserver.sylantro.com>
References: <79FEAA5FABA7D411BF580001023D1BBD0174ABA7@mailserver.sylantro.com>
Sender: owner-ipsec@lists.tislabs.com

At 6:37 PM -0700 6/3/02, Eric Nielsen wrote:
>Steve,
>
>We build a call control application using MGCP.
>IPsec is the standard for securing MGCP in RFC 2705.
>The RFC says nothing about what that really means.
>
>Our call control agent receives only MGCP on specific
>UDP ports. Each MGCP endpoint has a name, similar to
>a SIP URI. The name is the key to all actions that
>are invoked, what keys are used, etc.

I suggest you put that name in a cert and use it to make access 
control decisions in the SPD. presumably you can make it into a DN.

>The endpoint name is in the header of MGCP message,
>but I need to relate it to the secure communications.
>I cannot allow one trusted endpoint to spoof another,
>and I cannot control IP addresses for endpoint devices.

This sounds like a problem re using IPsec. After establishing an SA, 
we check inbound traffic on the SA (from the peer) to make sure it is 
consistent with the parameters for the SA. We can check only the 5 
fields that are defined as traffic selectors. So, you could be 
spoofed by a peer who authenticates as one MGCP endpoint ID, then 
sends a message with a different MGCP name in the MCGP message. This 
is outside the realm of what IPsec can do for you. You would have to 
remember the MGCP name from the SA establishment for later 
application layer checking, and there is no standard interface that 
passes that info to your application.

>And of course, if the power goes out, I need to provide
>service to huge numbers of endpoints without spending
>all of the server's resources re-setting up security
>associations.

If who's power goes out? If you SA lose state at our end you have no 
option but to reestablish the SAs, and that takes time. Perhaps a UPS 
is a good investment here :-).

>Encryption is not necessary. It looks like transport
>mode AH with aggressive mode IKE is the direction I am
>heading. I am now trying to connect the ISAKMP id_key_id
>parameter to my application settings. Somehow get the
>endpointname == id_key_id, use that to look up the key.

Frankly, we're trying to get rid of AH in general, and certainly for 
this sort of use. ESP in integrity only mode will provide better 
performance and the same set of secruity services.

>In the end, this is a multi-vendor effort, so I must stay
>within accepted standards yet meet some high performance
>and simple administration requirements.
>

the hardest part probably is the issuing of certs to your peers, and 
I don't know enough about the context to be able to say how easy or 
hard that is. in general you can boot strap cert issuance over any 
initial authentication mechanism you deem suitable for your 
application context.

Steve

Follow-Ups:
- RE: Public Keys to initiate IPsec.
  - From: Michael Thomas <mat@cisco.com>

References:
- RE: Public Keys to initiate IPsec.
  - From: "Eric Nielsen" <Eric.Nielsen@sylantro.com>

Prev by Date: RE: addresses and IKEv2
Next by Date: RE: SOI schizophrenia
Prev by thread: Re: Public Keys to initiate IPsec.
Next by thread: RE: Public Keys to initiate IPsec.
Index(es):
- Date
- Thread