[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.

To: Michael Thomas <mat@cisco.com>
Subject: Re: Confirm decision on identity handling.
From: Eric Rescorla <ekr@rtfm.com>
Date: 16 May 2003 11:02:45 -0700
Cc: Uri Blumenthal <uri@bell-labs.com>, Paul Hoffman / VPNC <paul.hoffman@vpnc.org>, Gregory Lebovitz <Gregory@netscreen.com>, "Scott G. Kelly" <scott@airespace.com>, ipsec@lists.tislabs.com
In-Reply-To: <16069.9666.270402.827655@thomasm-u1.cisco.com>
References: <541402FFDC56DA499E7E13329ABFEA87E66D8E@SARATOGA.netscreen.com><kj65oc8iw2.fsf@romeo.rtfm.com><p0521061bbae95ab471b9@[63.202.92.152]><kjel30s0wc.fsf@romeo.rtfm.com><p0521061dbae95e654f37@[63.202.92.152]><kjaddorzxc.fsf@romeo.rtfm.com><16068.1766.561003.133227@thomasm-u1.cisco.com><kj3cjfsx6m.fsf@romeo.rtfm.com><16068.2874.797405.258729@thomasm-u1.cisco.com><kjr86zq2mh.fsf@romeo.rtfm.com> <3EC4F58A.1000200@bell-labs.com><kjfznfosz4.fsf@romeo.rtfm.com><16069.704.149820.605667@thomasm-u1.cisco.com><kj7k8qq4kb.fsf@romeo.rtfm.com><16069.2510.321906.770452@thomasm-u1.cisco.com><kj1xyyq2rj.fsf@romeo.rtfm.com><16069.6161.52480.563103@thomasm-u1.cisco.com><kjwugqom2k.fsf@romeo.rtfm.com><16069.9666.270402.827655@thomasm-u1.cisco.com>
Reply-To: EKR <ekr@rtfm.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley)

Michael Thomas <mat@cisco.com> writes:

> Eric Rescorla writes:
>  > Michael Thomas <mat@cisco.com> writes:
>  > > Or something like this. Note that this doesn't
>  > > have anything to do with the *IKE* identity, it's
>  > > completely a property of the SA and its filters
>  > > that were derived from the policy which matched
>  > > for the mode and identity. It does, however,
>  > > enforce the property that you desired above,
>  > > especially when combined with the fact that you
>  > > need several round trips which establish that that
>  > > entity is, in fact, reachable at the outgoing
>  > > address.
>  > You must be joking.
>  > 
>  > What, you've never heard of active attacks? IP spoofing?
> 
> Yeah, yeah, and the application starting the TCP
> connection got that IP address from DNS which
> isn't secure either.
What, you've never heard of DNSSEC?

>  > Much of the purpose of the exercise is to protect ourselves
>  > from people who can arbitrarily manipulate the IP packet
>  > delivery service.
> 
> IPsec is an authenticated ACL traversal mechanism
> not a miracle worker. It raises the bar
> substantially, but there's a security/convenience
> tradeoff that needs to be allowed. Tying
> identities to routing tags has a substantial
> number of drawbacks and leads us down some rather
> unfortunate paths taken to its logical ends. Like,
> oh say, ICAAN doling out IP address ownership
> certificates. Ick. We also need to account for
> deployability and unintended consequences.
Strangely enough, this has worked just fine for TLS.


-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/

Follow-Ups:
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>

References:
- RE: Confirm decision on identity handling.
  - From: Gregory Lebovitz <Gregory@netscreen.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Uri Blumenthal <uri@bell-labs.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>

Prev by Date: Re: Confirm decision on identity handling.
Next by Date: Re: Confirm decision on identity handling.
Prev by thread: Re: Confirm decision on identity handling.
Next by thread: Re: Confirm decision on identity handling.
Index(es):
- Date
- Thread