[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: addresses and IKEv2

To: Alex Alten <Alten@xxxxxxxxx>
Subject: Re: addresses and IKEv2
From: Stephen Kent <kent@xxxxxxx>
Date: Tue, 4 Jun 2002 16:52:26 -0400
Cc: ipsec@xxxxxxxxxxxxxxxxx
In-reply-to: <>
References: <><><><><><><><><><><>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

Alex,

Steve,

Whom are you kidding?  Just because *you* don't change a DNS name bound
to a machine for 18 months doesn't mean that Yahoo doesn't on-the-fly
direct your HTTP post to one of 50 different servers depending on query
loads, etc.  When one designs a system one has to account for many
types of usage.  But at the same time you have to decide what to not
support.  For example should IPsec identify either a user or a host?
I would argue that only a host, and possibly a port, should be
identified, since IPsec is operating between the routing and transport
layers.

I could easily ask who do you think YOU are kidding with a claim that a new globally unique ID scheme for computers is either needed of feasible. I don't care to which Yahoo machine I connect. I care only that the machine represents Yahoo, period. And, if one wanted to use IPsec for HTTP (vs. SSL) many folks have suggested that the right answer is to terminate the SAs at a load balancer in front of the servers, not within each server. The argument about what granularity of authentication IPsec should provide is an old one on this list. if I have a single user system, then the mapping from machine to person is 1-1 at any time and thus is makes as much sense to authenticate the person as the machine. There is no human being layer in the TCP/IP stack, or in the OSI model. It may be desirable to use higher layer authentication for identifying individuals in some cases, but it's quite reasonable to perform this authentication at the lowest layer offering an end-to-end service, i.e., the IP layer, when the machine where the SA terminates is under the control of a single user.

For you it may be simple to juggle multiple types of addresses (DNS, IP,
email, whatever). But to establish and manage IPsec sessions reliably
across millions of machines and tens of thousands of organizations, day
after day, year in and year out, with software written by hundred's of
protocol programmers in many companies and countries, is in practice a
nightmare. It took 3 years for the industry to be able to interoperate
with 3DES, some firms had to go through certification half a dozen times.
Is that what you want the industry to go through again by requiring
multiple ways of addressing hosts? To be successful, IPsec needs a simple
way to retrieve the key that actually does the work of authenticating the
host.  Neither DNS nor IP address are designed to do this well, they do
their respective existing jobs only too well.

Most of the preceding commentary is completely irrelevant to our discussion. But, what you seem to be proposing is to embark on the creation of a new class of IDs for machines that, by themselves, have no utility in managing access, since they are not meaningful to the people who have to manage all of this. It seem to me that your vague proposal flies in the face of the management concerns you allude to above.

Neither an IP address nor a DNS name will work because they are too
ephemeral.  Binding them into a certificate is just a snapshot of a
transient address to host key binding. All it does is introduce more
complexity, with certs littered about containing outdated host addresses,
not to mention yet another interoperability headache with certificate
authorities, revocation lists, etc.

In the vast majority of cases we don't care which machine is being used to connect anywhere. We care about the binding of the machine to a human user or some sort of an organizational affiliation. That's what various forms of IDs, managed at levels higher that machine IDs and address, do for us.

BTW, quit asking for a definition of "security".  You know damn well it's
self referential.  It's like asking for a definition of "money" or "time".
For that matter, so is the definition of an IPsec host "address".

I don't recall asking you what security meant. The reason for asking Eric was to determine what the underlying requirement are in terms of standard security services (confidentiality, integrity, authentication, access control, ...) so that I could better understand what Eric was looking for. If you think security is an undefinable term, maybe that explains why you are unable to articulate a clear reason for the form of ID you believe is needed.

Steve

References:
- Re: addresses and IKEv2
  - From: Alex Alten
- Re: addresses and IKEv2
  - From: Alex Alten
- Re: addresses and IKEv2
  - From: Alex Alten
- Re: addresses and IKEv2
  - From: Alex Alten
- Re: addresses and IKEv2
  - From: Alex Alten
- Re: addresses and IKEv2
  - From: Alex Alten

Prev by Date: Re: I-D ACTION:draft-ietf-ipsec-soi-features-01.txt
Next by Date: RE: Public Keys to initiate IPsec.
Previous by thread: Re: addresses and IKEv2
Next by thread: Re: addresses and IKEv2
Index(es):
- Date
- Thread