[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Effective policy enforcement

To: ipsec@xxxxxxx
Subject: Effective policy enforcement
From: "Marcus Leech" <mleech@xxxxxxxxx>
Date: Wed, 9 Apr 1997 13:47:43 -0500 (EDT)
Organization: Nortel Technologies, System Security Services
Sender: owner-ipsec@xxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----

I've been thinking a fair amount about the question of, once we have
  IPSEC, what kinds of access control (and other) policy may actually
  be implemented by system administrators using IPSEC with ISAKMP.

The current implementations of ISKMP use X.509 certificates, which allow
  the administrator to establish very broad policy, like:

  "I will establish an SA with any entitiy bearing a certificate signed by
   my CA"


  "I will establish an SA with an entity named Marcus Leech, provided that
   the certificate was signed by Nortel".

Both of these policy directives are implementable with the existing ISAKMP
  assumptions about certificates.  Note, however, that in the second case,
  if I want to produce (for example) a "group" policy, I must enumerate
  the Distinguished Names of each member in the group, or I must establish
  a group CA, and use the first type of policy statement mentioned above.

The work of the SPKI group allows for much richer policy enforcement than
  is possible with an X.509 scheme.  I would like to see three things:


  (1) ISAKMP implementation hooks for SPKI certificate formats.
      I understand that the SPKI group doesnt' yet have any
      implementable output, but I don't want to see us do anything
      to prevent its incorporation at a later date.

  (2) Viable policy engines in IPSEC/ISAKMP systems that make rich policy
      enforcement possible, and easy to administer.

  (3) Availability to the applications of any and all attributes
      and/or authorizations carried in a certificate used to establish
      an SA (this applies to both X.509 and SPKI). In other words, it 
      ought to be possible for an application
      to determine all of the security-relevant attributes for
      incoming connections to those applications.


This kind of support SHOULD NOT be delegated to the application layer.
  There are HUGE efficency and code-maintability gains to be had by
  offering this kind of policy management at the IPSEC layer.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQBVAwUBM0vWPKp9EtiCAjydAQGCHwH/WzMrzBdQfiC7z23s3exJwKw6pLklIxhM
J9aefOrXQJeoAKfL2Gpiq1uRd9QHVLCC3v2pL9q/QngtbE+7vPqmmg==
=oNgJ
-----END PGP SIGNATURE-----

--
----------------------------------------------------------------------
Marcus Leech                   Mail: Dept 8M86, MS 238, CAR
Systems Security Architect     Phone:    (ESN) 393-9145  +1 613 763 9145
Systems Security Services      Fax:      (ESN) 395-1407  +1 613 765 1407
Nortel Technology              mleech@nortel.ca
-----------------Expressed opinions are my own, not my employer's------

Follow-Ups:
- Re: Effective policy enforcement
  - From: Michael Richardson

Prev by Date: RE: isakmp doubts
Next by Date: Re: Effective policy enforcement
Previous by thread: Comments on draft-ietf-ipsec-new-auth-00.txt
Next by thread: Re: Effective policy enforcement
Index(es):
- Date
- Thread