[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
defining networks/prefix and host wildcards, and IPsec.
-----BEGIN PGP SIGNED MESSAGE-----
Markku, you mentioned in another message that you had problems
defining certs which allowed a given network+prefix, etc. to login for
SSH login certs.
Can you say more about what you did try?
Do we use the (* range) form? Here is my attempt.
For networks and prefixes, we could say things like:
(subject (name IANA IStar Achilles Sandelman))
{is IANA or Internic officially the owner for all IP addresses?}
which would work fine given certs which said something like:
(cert (issuer (hash IANA's key))
(subject (hash IStar's key))
(tag (name IStar)))
... (this is how one defines SDSI names, right?)
and some certs like:
(cert (issuer (name IANA))
(subject (name IANA IStar))
(tag (route (* range "binary" #CDE93000#[ipv4] #CDE93FFF#[ipv4]))))
[IStar owns 205.233.48.0/20]
(cert (issuer (name IANA IStar))
(subject (name IANA IStar Achilles))
(tag (route (* range "binary" #CDE93600#[ipv4] #CDE936FF#[ipv4]))))
[Achilles owns 205.233.54.0/24]
(cert (issuer (name IANA IStar Achilles))
(subject (name IANA IStar Achilles Sandelman))
(tag (route (* range "binary" #CDE93680#[ipv4] #CDE936BF#[ipv4]))))
[I own 205.233.54.54.128/26]
Now, how do I do something like the TX/KX record that is being
proposed by several in the IPsec WG? The above establishes the
authority that I'd have to make such a statement. TX record says that
network X can be reached by doing a secure session with some IP Y.
(cert (issuer (name IANA IStar Achilles Sandelman))
(subject (hash of gateway ISAKMP signing key))
(tag (route (* range "binary" #CDE93600#[ipv4] #CDE936FF#[ipv4]))))
(cert (issuer (hash of gateway ISAKMP signing key))
(subject (keyholder (hash of gateway ISAKMP signing key)))
(tag (* set (network-address #CDE936A1#[ipv4])
(network-address #CDE93681#[ipv4])
(network-address #CDE93691#[ipv4]))))
[my IPsec gateway's online signing key is authoritative to negotiate
sessions for 205.233.54.128/26. It has three IP addresses,
205.233.54.129, 205.233.54.161, 205.233.54.145.]
Comments?
More comments on the drafts in the next message.
] 10s to Tokyo, 15m to the Cottage? What if I'm already there? | one quark [
] Michael Richardson, Sandelman Software Works, Ottawa, ON | two quark [
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBM/YvP8mxxiPyUBAxAQFh/gL/QH8p7XvYE1QUIGPwp4Zd30M4/cxUr1bx
f4niTg82w9GQ10cJMroow80H9tHtkmQNNNI8NfGVXWy7N26fg9Qmjo88SgPw4YVl
YDiGows289dNZyOzEF0Eqy06hTXvtVQI
=jjUP
-----END PGP SIGNATURE-----
Follow-Ups: