Subject: Re: IPSEC and user vs machine authentication
To: None <tech-security@netbsd.org, tech-net@netbsd.org>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-security
Date: 08/15/2005 11:43:46
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Daniel" == Daniel Carosone <dan@geek.com.au> writes:
Daniel> Even if one trusts racoon with these credentials, there
Daniel> doesn't appear to be any way to select which identity should
Daniel> be used for a given socket, or to bind an identity with a
Daniel> local uid, or to pass/delegate credentials to racoon per
Daniel> user. This has implications both for multi-user machines
Daniel> (including 'non-credentialled processes' on single-user
Daniel> machines), and for users who move between multiple machines.
Daniel> I'm looking for the ability to have network connections
Daniel> authenticated with IPSEC on a per-user basis (using
Daniel> certificates, kerberos and/or XAUTH hybrid mode) via
Daniel> encapsulation, both for applications and protocols without
Daniel> native support for such mechanisms in the endpoints, and for
Daniel> authenticated traversal of intermediate gateways.
So, this was work that Bill Sommerfeld and I were trying to
standardize as a piece of work that many call "PF_POLICY" (but we didn't
want to actually make the API a socket-based one, leaving that for the
implementor to worry about).
The first step was to do the opposite --- permit an application to ask
"how was this socket protected", with what you want being step two.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/ www.xelerance.com/training/ |device driver[
] I'm a dad: http://www.sandelman.ca/lrmr/ [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQwC4KYqHRg3pndX9AQGrwQP9EFEGSF6uEVmUaji9uf2/cmik+RoSMHUO
fXKKG0AjF+WYQvdMUfTdnjJMU2th7DqjFeBTPg1q43J+w7vf21LtNGKDcSBM+p0O
JwfZfaEzwbx8vfRDOzT/ZA2ryLmWaSawqz8XWl2ojDRMxbscnTg1dbBvUUUPqsfG
Nt0DMp6/lwI=
=RxKz
-----END PGP SIGNATURE-----