tech-net: Re: IPSEC and user vs machine authentication

Subject: Re: IPSEC and user vs machine authentication
To: Bill Studenmund <wrstuden@NetBSD.org>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 08/17/2005 09:22:20

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Bill" == Bill Studenmund <wrstuden@NetBSD.org> writes:
    Bill> I suggest you look at the channel binding work. It's not done
    Bill> AFAIK, but it takes a slightly different approach. Rather than
    Bill> look at the IPsec IDs, it just requires that both ends of an
    Bill> application authentication are using the same end-to-end IPsec
    Bill> negotiation; specifically they agree on a hash of the
    Bill> data. Doesn't matter what the IDs are, or even if they are
    Bill> expressable in terms of the application's ID space. It just
    Bill> matters that they agree.

    Bill> My gut instinct is that channel binding will be easier and
    Bill> safer in the long run than say using IPsec IDs for application
    Bill> level authentication.

  Bill, since I was too quick on the last one, (and I've now had another
swig of caffeine) let me continue:

  There are a number of classes of application where you don't care who
the end-user is, as long as they are the same user as they were last
time.

  You may even use other authentication mechanisms the first time to
match the ID (expressed in the form of a public key!) to the user. You
can do this inband of the protocol, in IKE (XAUTH for instance), or even
out-of-band (SMB's certificate enrollment process). 

  Channel binding then replaces the in-band authentication that the
process would normally do, to assure everyone that they are not being
MITM.

- -- 
] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls  [
] mcr @ xelerance.com           Now doing IPsec training, see   |net architect[
] http://www.sandelman.ca/mcr/    www.xelerance.com/training/   |device driver[
]                    I'm a dad: http://www.sandelman.ca/lrmr/                 [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQwM6CoqHRg3pndX9AQHBIQQAuFwp9Mfu2iytJvYIUaVJQA2jjMv5fvX9
N4mFmrg2HocbjeCTxasvXREoy9THdVAIXySvR/VKZpshFLg9G4+fbLOF1S4v0mE7
VeTGxX9QECMMo8IDmxFDxvhO0k5YyiAERQLNwQ6uXG/pxaVeNY9Ijlzl86GbDswU
OomE2m02YHM=
=1qGb
-----END PGP SIGNATURE-----