[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.

To: Michael Thomas <mat@cisco.com>
Subject: Re: Confirm decision on identity handling.
From: Eric Rescorla <ekr@rtfm.com>
Date: 16 May 2003 10:09:23 -0700
Cc: Uri Blumenthal <uri@bell-labs.com>, Paul Hoffman / VPNC <paul.hoffman@vpnc.org>, Gregory Lebovitz <Gregory@netscreen.com>, "Scott G. Kelly" <scott@airespace.com>, ipsec@lists.tislabs.com
In-Reply-To: <16069.6161.52480.563103@thomasm-u1.cisco.com>
References: <541402FFDC56DA499E7E13329ABFEA87E66D8E@SARATOGA.netscreen.com><kj65oc8iw2.fsf@romeo.rtfm.com><p0521061bbae95ab471b9@[63.202.92.152]><kjel30s0wc.fsf@romeo.rtfm.com><p0521061dbae95e654f37@[63.202.92.152]><kjaddorzxc.fsf@romeo.rtfm.com><16068.1766.561003.133227@thomasm-u1.cisco.com><kj3cjfsx6m.fsf@romeo.rtfm.com><16068.2874.797405.258729@thomasm-u1.cisco.com><kjr86zq2mh.fsf@romeo.rtfm.com> <3EC4F58A.1000200@bell-labs.com><kjfznfosz4.fsf@romeo.rtfm.com><16069.704.149820.605667@thomasm-u1.cisco.com><kj7k8qq4kb.fsf@romeo.rtfm.com><16069.2510.321906.770452@thomasm-u1.cisco.com><kj1xyyq2rj.fsf@romeo.rtfm.com><16069.6161.52480.563103@thomasm-u1.cisco.com>
Reply-To: EKR <ekr@rtfm.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley)

Michael Thomas <mat@cisco.com> writes:
> Eric Rescorla writes:
> I think that what you're confusing here is the
> identity used to establish an SA and the general
> filtering mechanism that IPsec provides. It may
> be perfectly reasonable to have a policy which
> states:
> 
> "For all transport mode connections, the filters
>  should discard any source IP addresses != the IP
>  address used in the IKE session."
>
> Or something like this. Note that this doesn't
> have anything to do with the *IKE* identity, it's
> completely a property of the SA and its filters
> that were derived from the policy which matched
> for the mode and identity. It does, however,
> enforce the property that you desired above,
> especially when combined with the fact that you
> need several round trips which establish that that
> entity is, in fact, reachable at the outgoing
> address.
You must be joking.

What, you've never heard of active attacks? IP spoofing?

Much of the purpose of the exercise is to protect ourselves
from people who can arbitrarily manipulate the IP packet
delivery service.

>  > > IP addresses can be used as identities, but so can
>  > > RFC 822 addresses, etc. And IP addresses have huge
>  > > downsides, especially for mobility, unlike RFC 822
>  > > addresses.
>  > RFC822 addresses have the disadvantage that the kernel
>  > doesn't know anything about them when you're trying to
>  > transmit packets.
> 
> Again, you seem to be conflating the IKE session
> identity and the packet filtering mechanism of
> IPsec. 
It's not that I'm conflating them but rather that they're
bound by the logic of the desired security service. 

>  > > Any desire to use IP addresses as
>  > > identities should be considered harmful.
>  > That's just, like, your opinion, man.
> 
> Well, mine and a lot of other people's I'd say.
That's fine, but you haven't convinced me and it doesn't really
follow from anything you've said.

-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/

Follow-Ups:
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>

References:
- RE: Confirm decision on identity handling.
  - From: Gregory Lebovitz <Gregory@netscreen.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Uri Blumenthal <uri@bell-labs.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>

Prev by Date: Re: Confirm decision on identity handling.
Next by Date: Re: Confirm decision on identity handling.
Prev by thread: Re: Confirm decision on identity handling.
Next by thread: Re: Confirm decision on identity handling.
Index(es):
- Date
- Thread