[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

defining networks/prefix and host wildcards, and IPsec.


  Markku, you mentioned in another message that you had problems
defining certs which allowed a given network+prefix, etc. to login for
SSH login certs.
  Can you say more about what you did try?

  Do we use the (* range) form? Here is my attempt.

  For networks and prefixes, we could say things like:
	(subject (name IANA IStar Achilles Sandelman))

  {is IANA or Internic officially the owner for all IP addresses?}

  which would work fine given certs which said something like:
	(cert (issuer  (hash IANA's key))
              (subject (hash IStar's key))
	      (tag (name IStar)))
	... (this is how one defines SDSI names, right?)

  and some certs like:
	(cert (issuer (name IANA))
	      (subject (name IANA IStar))
              (tag (route (* range "binary" #CDE93000#[ipv4] #CDE93FFF#[ipv4]))))
  [IStar owns]
	(cert (issuer (name IANA IStar))
	      (subject (name IANA IStar Achilles))
              (tag (route (* range "binary" #CDE93600#[ipv4] #CDE936FF#[ipv4]))))
  [Achilles owns]
	(cert (issuer (name IANA IStar Achilles))
	      (subject (name IANA IStar Achilles Sandelman))
              (tag (route (* range "binary" #CDE93680#[ipv4] #CDE936BF#[ipv4]))))
  [I own]

  Now, how do I do something like the TX/KX record that is being
proposed by several in the IPsec WG? The above establishes the
authority that I'd have to make such a statement. TX record says that
network X can be reached by doing a secure session with some IP Y.

	(cert (issuer (name IANA IStar Achilles Sandelman))
	      (subject (hash of gateway ISAKMP signing key))
              (tag (route (* range "binary" #CDE93600#[ipv4] #CDE936FF#[ipv4]))))

	(cert (issuer (hash of gateway ISAKMP signing key))
	      (subject (keyholder (hash of gateway ISAKMP signing key)))
	      (tag (* set (network-address #CDE936A1#[ipv4])
			  (network-address #CDE93681#[ipv4])	
			  (network-address #CDE93691#[ipv4]))))

  [my IPsec gateway's online signing key is authoritative to negotiate
sessions for It has three IP addresses,,,]


  More comments on the drafts in the next message.
]  10s to Tokyo, 15m to the Cottage? What if I'm already there? | one quark   [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    | two quark   [
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface