[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Public Keys to initiate IPsec.

To: "Eric Nielsen" <Eric.Nielsen@xxxxxxxxxxxx>
Subject: RE: Public Keys to initiate IPsec.
From: Stephen Kent <kent@xxxxxxx>
Date: Tue, 4 Jun 2002 17:41:38 -0400
Cc: "'ipsec@xxxxxxxxxxxxxxxxx '" <ipsec@xxxxxxxxxxxxxxxxx>
In-reply-to: <>
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

At 6:37 PM -0700 6/3/02, Eric Nielsen wrote:

Steve,

We build a call control application using MGCP.
IPsec is the standard for securing MGCP in RFC 2705.
The RFC says nothing about what that really means.

Our call control agent receives only MGCP on specific
UDP ports. Each MGCP endpoint has a name, similar to
a SIP URI. The name is the key to all actions that
are invoked, what keys are used, etc.

I suggest you put that name in a cert and use it to make access control decisions in the SPD. presumably you can make it into a DN.

The endpoint name is in the header of MGCP message,
but I need to relate it to the secure communications.
I cannot allow one trusted endpoint to spoof another,
and I cannot control IP addresses for endpoint devices.

This sounds like a problem re using IPsec. After establishing an SA, we check inbound traffic on the SA (from the peer) to make sure it is consistent with the parameters for the SA. We can check only the 5 fields that are defined as traffic selectors. So, you could be spoofed by a peer who authenticates as one MGCP endpoint ID, then sends a message with a different MGCP name in the MCGP message. This is outside the realm of what IPsec can do for you. You would have to remember the MGCP name from the SA establishment for later application layer checking, and there is no standard interface that passes that info to your application.

And of course, if the power goes out, I need to provide
service to huge numbers of endpoints without spending
all of the server's resources re-setting up security
associations.

If who's power goes out? If you SA lose state at our end you have no option but to reestablish the SAs, and that takes time. Perhaps a UPS is a good investment here :-).

Encryption is not necessary. It looks like transport
mode AH with aggressive mode IKE is the direction I am
heading. I am now trying to connect the ISAKMP id_key_id
parameter to my application settings. Somehow get the
endpointname == id_key_id, use that to look up the key.

Frankly, we're trying to get rid of AH in general, and certainly for this sort of use. ESP in integrity only mode will provide better performance and the same set of secruity services.

In the end, this is a multi-vendor effort, so I must stay
within accepted standards yet meet some high performance
and simple administration requirements.

the hardest part probably is the issuing of certs to your peers, and I don't know enough about the context to be able to say how easy or hard that is. in general you can boot strap cert issuance over any initial authentication mechanism you deem suitable for your application context.

Steve

Follow-Ups:
- RE: Public Keys to initiate IPsec.
  - From: Michael Thomas

References:
- RE: Public Keys to initiate IPsec.
  - From: Eric Nielsen

Prev by Date: RE: addresses and IKEv2
Next by Date: RE: SOI schizophrenia
Previous by thread: Re: Public Keys to initiate IPsec.
Next by thread: RE: Public Keys to initiate IPsec.
Index(es):
- Date
- Thread