Right now, there are two paths into having a particular network
connection (say, a TCP session) encrypted/authenticated with IPSEC:
either via the setkey packet-filter SPD, or via per-socket policy set
by the application.

(speling nit: IPSEC is the kernel option, IPsec is the protocol)

Is racoon able to negotiate per-socket policy now? I haven't looked
in a while. But per-socket vs. SPD is an orthogonal issue to your
main concern, I think.

I'm looking for the ability to have network connections authenticated
with IPSEC on a per-user basis (using certificates, kerberos and/or
XAUTH hybrid mode) via encapsulation, both for applications and
protocols without native support for such mechanisms in the endpoints,
and for authenticated traversal of intermediate gateways.

I'm not sure I follow 'by encapsulation', but this makes sense.

Several years ago, I did a rough outline for per-user credentials.
Note that RFC2401 allows them, but NetBSD's implementation does not.
Basically, it involved

users being able to push keys or hook up an agent to racoon
racoon being able to negotiate multiple Phase 1s with a given peer
racoon being able to present an identity to a program and have it
map it a locally meaningful name
storing more complex identities, including user names in SPD
storing more complex identities, including user names in SA
checking identities when doing SPD/SA matches
conveying identities to programs via some setsockopt a la IP_RECVIF

If you want to send money we finish the project as proposed :-)

But seriously, what you want is the direct analog of how Kerberos
handles user identities, except that it's far more complicated due to
racoon, SPD, SA insteadof all being in process, and I think it is
entirely doable and sensible, and within the IPsec architecture.

Has that effort died? I attended a few informal discussions about
this topic when it was first being discussed, but was not able to
stay involved and have not heard much about it since, until you
mentioned it now.

-- thorpej


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

-----BEGIN PGP SIGNED MESSAGE-----
Jason> Has that effort died? I attended a few informal discussions
Jason> about this topic when it was first being discussed, but was
Jason> not able to stay involved and have not heard much about it
Jason> since, until you mentioned it now.

I'm still working on it, but I can't write a "standard" in isolation.
I wrote code for Openswan to prototype the first part [query] (and we even
demonstrated it at a BlackHat conference).

I'm still interesting in continuing on this.

- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/ www.xelerance.com/training/ |device driver[
] I'm a dad: http://www.sandelman.ca/lrmr/ [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQwDIhYqHRg3pndX9AQF5XgP7B/vo55Jz/KkveyiojCEF1WZX9E5zZVNl
ubJYkNjYy7zk1flS8KU02lh/p3CDH2f9UxcjsCcrtUgEDXKh7mBv3xL99H8Q2YhE
RD+XUNN1AQRQqw9CsTAyLN//zh+o7SqVCME+B3FGwphNRi5xq1fsF55KjjA63gYT
8mHv4ulShPg=
=gXv3
-----END PGP SIGNATURE-----

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

[...]
Pushing down the credential into IKE is one way to do it.

Another way is to not care about what credential IKE negotiated, but rather
just use the channel and bind it to your applications security context
negotiation. One way to do that would be to fold something like IKE
equvalent of secsh's `The exchange hash H' into your applications
authentication.

The this one of BTNS working groups items.

Love

And the KITTEN working group and NFSv4 groups are working with channel
bindings regarding this. I have most of a draft extending iSCSI CHAP to
include this too.

The other thing that would be quite useful (required, depending on whom
you ask) for channel bindings is a way to require that TCP connection foo
is bound to a given set of identities. So if you use Kerberos Identity BAR
to log in, you can't later renegotiate IPsec FOR THIS CONN using PSK ID
BAZ. You can renego PSK, and you can make new connections, but the app
will see connection termination/establishment.

Solaris supposedly has this last feature.

Take care,

Bill

I'm not clear on the details of these proposals, but they seem like
related or complementary ideas, rather than clear alternatives.

For example, they seem to me more like a session-management mechanism
than an authentication mechanism per-se; rather like how some web load
balancers or reverse proxies can use the SSL session-id to correlate
multiple web requests from the same browser. Perhaps this helps me
recognise when an IKE phase 1 SA (as the equivalent of an SSL session)
is being reused for multiple connections.

Or is the idea to have the initial (IKE) session later be associated
with a user, on the basis of an application authentication that occurs
inside that session? There are equivalent ideas used successfully in
the SSL models above, certainly.

That's fine as far as it goes, but I don't think it quite covers what
I was describing.

You'd also need some stronger criteria around which new connections
were allowed to join the session at the remote end, otherwise we're
really back to machine policy and authentication again. Such
constraints are less problematic in the SSL case, because you
typically assume the SSL session belongs to a user application such as
a single browser.

However the identity is negotiated and authenticated, you still need
the ability to query the session state for this information. I had
considered this as the second part of the problem, rather than the
first as has been others' focus previously; both components are
needed.

--
Dan.

The point is that you don't need to push down user credentials to the
process that handles IKE for you. Just a way to seperate the each user from
each other and then withing that bind that within the application
authentication to the IKE assosication.
Why is this diffrent from the BTNS/channel binding case than what you are
describing ?

If you don't trust you kernel to separate connections, why should you trust
it with your credentials ?

Love

On Oct 25, 3:57pm, "Steven M. Bellovin" wrote:
} On Wed, 4 Jun 2008 15:03:06 +0200
} Petar Bogdanovic <***@smokva.net> wrote:
}
} > I recently noticed that ipfilter with `block return-icmp' is returning
} > ICMP Type 3 Code 0 (Network unreachable) to the sender of a blocked
} > broadcast:
} >
} > 130.3.3.3 ---------[***@130.3.3.255]--------> 130.3.3.4
} > 130.3.3.3 <----[ICMP Network unreachable]---- 130.3.3.4
} >
} >
} > This seems wrong, considering RFC1122, page 39:
} >
} > An ICMP error message MUST NOT be sent as the result of
} > receiving:
} >
} > * an ICMP error message, or
} >
} > * a datagram destined to an IP broadcast or IP multicast
} > address, or
} >
} > * a datagram sent as a link-layer broadcast, or
} >
} > * a non-initial fragment, or
} >
} > * a datagram whose source address does not define a single
} > host -- e.g., a zero address, a loopback address, a
} > broadcast address, a multicast address, or a Class E
} > address.
} >
} >
} > Is this desired behaviour?
}
} I don't see the conflict. The intent of that section of 1122 is to
} rule out troublesome ICMPs. The first condition prevents loops; the
} second two prevent ICMP implosions, the fourth assumes that the initial

Using the English language (which usually works with RFCs) along
with the RFC definition of "MUST NOT", it sure looks like either the
second or third condition applies depending on the link layer address.

} fragment will cause the proper message, and the last is for an ICMP
} that can't be delivered to a single host. Your example concerns none
} of those cases. Furthermore, the very next page of 1122 defines an
} ICMP type code for "administratively prohibited" communication, which
} is exactly what I hope ipf is returning here.

The second line of the stuff you quoted says, "ICMP Type 3 Code 0
(Network unreachable)". "administratively prohibited" would be Code 9,
10, or 13.

The question I have is, is 130.3.3.4 a router of some sort? If
not, then I believe it is misbehaving. If so, then RFC1122 may not be
applicable as it only deals with end hosts. However, even if it is a
router, it isn't a packet that needs to be passed through, so RFC1122
is probably still applicable.

}-- End of excerpt from "Steven M. Bellovin"

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de