[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.

To: EKR <ekr@rtfm.com>
Subject: Re: Confirm decision on identity handling.
From: Michael Thomas <mat@cisco.com>
Date: Fri, 16 May 2003 09:55:45 -0700 (PDT)
Cc: Michael Thomas <mat@cisco.com>, Uri Blumenthal <uri@bell-labs.com>, Paul Hoffman / VPNC <paul.hoffman@vpnc.org>, Gregory Lebovitz <Gregory@netscreen.com>, "Scott G. Kelly" <scott@airespace.com>, ipsec@lists.tislabs.com
In-Reply-To: <kj1xyyq2rj.fsf@romeo.rtfm.com>
References: <541402FFDC56DA499E7E13329ABFEA87E66D8E@SARATOGA.netscreen.com><kj65oc8iw2.fsf@romeo.rtfm.com><p0521061bbae95ab471b9@[63.202.92.152]><kjel30s0wc.fsf@romeo.rtfm.com><p0521061dbae95e654f37@[63.202.92.152]><kjaddorzxc.fsf@romeo.rtfm.com><16068.1766.561003.133227@thomasm-u1.cisco.com><kj3cjfsx6m.fsf@romeo.rtfm.com><16068.2874.797405.258729@thomasm-u1.cisco.com><kjr86zq2mh.fsf@romeo.rtfm.com><3EC4F58A.1000200@bell-labs.com><kjfznfosz4.fsf@romeo.rtfm.com><16069.704.149820.605667@thomasm-u1.cisco.com><kj7k8qq4kb.fsf@romeo.rtfm.com><16069.2510.321906.770452@thomasm-u1.cisco.com><kj1xyyq2rj.fsf@romeo.rtfm.com>
Sender: owner-ipsec@lists.tislabs.com

Eric Rescorla writes:
 > Michael Thomas <mat@cisco.com> writes:
 > > Eric Rescorla writes:
 > >  > Huh? The user asks you to initiate a TCP connection to
 > >  > 1.2.3.4. How else do you propose to ensure that you've
 > >  > done that other than by checking the certificate at
 > >  > SA establishment time?
 > > 
 > > You didn't answer my question.
 > Obviously I didn't understand it, then. Try rephrasing it.
 > 
 > > And I hardly know
 > > where to start on the identity/routing tag
 > > conflation you seem to be making. There isn't a
 > > binding in IPsec between TCP connection -- or any
 > > sort of transport connection -- and the SA
 > > establishment, so your question is a non-sequitur.
 > I'm afraid it's not. One of the major arguments in favor of
 > IPsec is that it allows security-oblivious applications to
 > be secured by enhancing the kernel. The only information
 > that the kernel has about the desired peer endpoint when
 > an application tries to transmit data is the IP address.
 > Therefore it's the only information on which the decision
 > can be made.

I think that what you're confusing here is the
identity used to establish an SA and the general
filtering mechanism that IPsec provides. It may
be perfectly reasonable to have a policy which
states:

"For all transport mode connections, the filters
 should discard any source IP addresses != the IP
 address used in the IKE session."

Or something like this. Note that this doesn't
have anything to do with the *IKE* identity, it's
completely a property of the SA and its filters
that were derived from the policy which matched
for the mode and identity. It does, however,
enforce the property that you desired above,
especially when combined with the fact that you
need several round trips which establish that that
entity is, in fact, reachable at the outgoing
address.

 > > IP addresses can be used as identities, but so can
 > > RFC 822 addresses, etc. And IP addresses have huge
 > > downsides, especially for mobility, unlike RFC 822
 > > addresses.
 > RFC822 addresses have the disadvantage that the kernel
 > doesn't know anything about them when you're trying to
 > transmit packets.

Again, you seem to be conflating the IKE session
identity and the packet filtering mechanism of
IPsec. 

 > > Any desire to use IP addresses as
 > > identities should be considered harmful.
 > That's just, like, your opinion, man.

Well, mine and a lot of other people's I'd say.

	   Mike

Follow-Ups:
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>

References:
- RE: Confirm decision on identity handling.
  - From: Gregory Lebovitz <Gregory@netscreen.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Uri Blumenthal <uri@bell-labs.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>

Prev by Date: Re: Confirm decision on identity handling.
Next by Date: Re: Confirm decision on identity handling.
Prev by thread: Re: Confirm decision on identity handling.
Next by thread: Re: Confirm decision on identity handling.
Index(es):
- Date
- Thread