[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: addresses and IKEv2

To: Alex Alten <Alten@xxxxxxxxx>
Subject: Re: addresses and IKEv2
From: Stephen Kent <kent@xxxxxxx>
Date: Wed, 29 May 2002 20:10:41 -0400
Cc: ipsec@xxxxxxxxxxxxxxxxx
In-reply-to: <>
References: <><><><><><><>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

At 4:43 PM -0700 5/24/02, Alex Alten wrote:

Steve,

I'm not talking about a host's local database.  We need a way to uniquely
AND SECURELY identify any host worldwide from any other host.  You don't
want to replicate this information to every host, you'd have over 100 million
entries to distribute to each one!

Oh, well, you've moved the problem well beyond the bounds of the IPsec WG, given this description of what you are looking for. Also, given my earlier comments about the desirability of not creating new ID forms for use in access control systems, I think we have a fundamental disagreement here.

I like DNS too, a nice simple hierarchy, it is easy to uniquely name hosts,
and a simple distributed model for managing the address space. But it has a
crippling drawback from a security perspective.  A DNS name cannot be any
better
at identifying a host than it's resolved IP address.
And we know how
ephemeral IP addresses can be given the rise of DHCP and NAT.  The only
secure way to absolutely identify a host is to assign it a (randomly) unique
crypto key.  But before you can pull the correct key (RSA or AES) you need to
find it.  For this you need a unique number that doesn't keep being changed
underneath you.  So unfortunately DNS doesn't make the cut.  No amount of
wishful
thinking is going to make it work properly for us.

I think your argument above is faulty. If I choose to use DNS names as a basis for access control decisions, and if I have credentials (e.g., certificates) that allow a machine or person to verify that the entity at the other end of a key management exchange is the entity with the DNS name in question, then I can dynamically bind the name to the current address at the time an SA is created and I have achieved the access control goals without needing to introduce the sort of new ID scheme to which you are alluding.

To reiterate my position: IPsec needs to have a global, secure address space
that uniquely identifies every participating host.  It needs to be simple to
understand, distributable, and easy to manage.  And it needs to be able to
dynamically map into the IP address space on demand, including private
network non-routable addresses.

That's the requirements as I see them.  Anything less than this means
you can't use IPsec unencumbered across the Internet.

we don't need a global, secure address space. we need secure means of mapping IDs to credentials, and mapping those IDs to SA, in real time, as you note immediately above. These two notions are not the same.

Steve

Follow-Ups:
- Re: addresses and IKEv2
  - From: Alex Alten

References:
- Re: addresses and IKEv2
  - From: Alex Alten
- Re: addresses and IKEv2
  - From: Alex Alten
- Re: addresses and IKEv2
  - From: Alex Alten
- Re: addresses and IKEv2
  - From: Alex Alten

Prev by Date: Re: [saag] Re:
Next by Date: Re: [saag] Re:
Previous by thread: Re: addresses and IKEv2
Next by thread: Re: addresses and IKEv2
Index(es):
- Date
- Thread