[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

defining networks/prefix and host wildcards, and IPsec.

To: spki@c2.net
Subject: defining networks/prefix and host wildcards, and IPsec.
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Sat, 16 Aug 1997 18:52:53 -0400
Sender: owner-spki@c2.net

-----BEGIN PGP SIGNED MESSAGE-----


  Markku, you mentioned in another message that you had problems
defining certs which allowed a given network+prefix, etc. to login for
SSH login certs.
  Can you say more about what you did try?

  Do we use the (* range) form? Here is my attempt.

  For networks and prefixes, we could say things like:
	(subject (name IANA IStar Achilles Sandelman))

  {is IANA or Internic officially the owner for all IP addresses?}

  which would work fine given certs which said something like:
	(cert (issuer  (hash IANA's key))
              (subject (hash IStar's key))
	      (tag (name IStar)))
	... (this is how one defines SDSI names, right?)

  and some certs like:
	(cert (issuer (name IANA))
	      (subject (name IANA IStar))
              (tag (route (* range "binary" #CDE93000#[ipv4] #CDE93FFF#[ipv4]))))
  [IStar owns 205.233.48.0/20]
	(cert (issuer (name IANA IStar))
	      (subject (name IANA IStar Achilles))
              (tag (route (* range "binary" #CDE93600#[ipv4] #CDE936FF#[ipv4]))))
  [Achilles owns 205.233.54.0/24]
	(cert (issuer (name IANA IStar Achilles))
	      (subject (name IANA IStar Achilles Sandelman))
              (tag (route (* range "binary" #CDE93680#[ipv4] #CDE936BF#[ipv4]))))
  [I own 205.233.54.54.128/26]

  Now, how do I do something like the TX/KX record that is being
proposed by several in the IPsec WG? The above establishes the
authority that I'd have to make such a statement. TX record says that
network X can be reached by doing a secure session with some IP Y.

	(cert (issuer (name IANA IStar Achilles Sandelman))
	      (subject (hash of gateway ISAKMP signing key))
              (tag (route (* range "binary" #CDE93600#[ipv4] #CDE936FF#[ipv4]))))

	(cert (issuer (hash of gateway ISAKMP signing key))
	      (subject (keyholder (hash of gateway ISAKMP signing key)))
	      (tag (* set (network-address #CDE936A1#[ipv4])
			  (network-address #CDE93681#[ipv4])	
			  (network-address #CDE93691#[ipv4]))))

  [my IPsec gateway's online signing key is authoritative to negotiate
sessions for 205.233.54.128/26. It has three IP addresses,
205.233.54.129, 205.233.54.161, 205.233.54.145.]

  Comments?

  More comments on the drafts in the next message.
  
]  10s to Tokyo, 15m to the Cottage? What if I'm already there? | one quark   [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    | two quark   [
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBM/YvP8mxxiPyUBAxAQFh/gL/QH8p7XvYE1QUIGPwp4Zd30M4/cxUr1bx
f4niTg82w9GQ10cJMroow80H9tHtkmQNNNI8NfGVXWy7N26fg9Qmjo88SgPw4YVl
YDiGows289dNZyOzEF0Eqy06hTXvtVQI
=jjUP
-----END PGP SIGNATURE-----

Follow-Ups:

Re: defining networks/prefix and host wildcards, and IPsec.

From: Carl Ellison <cme@cybercash.com>

Prev by Date: Re: IETF spki meeting minutes
Next by Date: comments on pre-Munich spki draft
Prev by thread: global uniqueness of auth fields
Next by thread: Re: defining networks/prefix and host wildcards, and IPsec.
Index(es):
- Main
- Thread