IETF Logo Mail Archive

Re: [anonsec] Comments on connection latching draft

Michael Richardson <mcr@sandelman.ca> Sun, 16 December 2007 01:13 UTC

Return-path: <anonsec-bounces@postel.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J3i4S-0003Rg-GZ for btns-archive-waDah9Oh@lists.ietf.org; Sat, 15 Dec 2007 20:13:32 -0500
Received: from boreas.isi.edu ([128.9.160.161]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J3i4R-0005nH-UO for btns-archive-waDah9Oh@lists.ietf.org; Sat, 15 Dec 2007 20:13:32 -0500
Received: from boreas.isi.edu (localhost [127.0.0.1]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id lBG0wlg3022545; Sat, 15 Dec 2007 16:58:47 -0800 (PST)
Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id lBG0vlBw022422 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for <anonsec@postel.org>; Sat, 15 Dec 2007 16:57:49 -0800 (PST)
Received: from list by ciao.gmane.org with local (Exim 4.43) id 1J3hp3-0004rD-04 for anonsec@postel.org; Sun, 16 Dec 2007 00:57:37 +0000
Received: from wlan199.sandelman.ca ([209.87.252.199]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <anonsec@postel.org>; Sun, 16 Dec 2007 00:57:36 +0000
Received: from mcr by wlan199.sandelman.ca with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <anonsec@postel.org>; Sun, 16 Dec 2007 00:57:36 +0000
X-Injected-Via-Gmane: http://gmane.org/
To: anonsec@postel.org
From: Michael Richardson <mcr@sandelman.ca>
Date: Sat, 15 Dec 2007 19:57:14 -0500
Lines: 34
Message-ID: <fk1t5c$gaq$1@ger.gmane.org>
References: <tsld4tjjsw3.fsf@mit.edu> <20071206235738.GA8628@Sun.COM>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: wlan199.sandelman.ca
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.13pre) Gecko/20070505 Iceape/1.0.9 (Debian-1.0.11~pre071022-0etch1)
In-Reply-To: <20071206235738.GA8628@Sun.COM>
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: gia-anonsec@m.gmane.org
Subject: Re: [anonsec] Comments on connection latching draft
X-BeenThere: anonsec@postel.org
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: "Discussions of anonymous Internet security." <anonsec.postel.org>
List-Unsubscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=unsubscribe>
List-Archive: <http://mailman.postel.org/pipermail/anonsec>
List-Post: <mailto:anonsec@postel.org>
List-Help: <mailto:anonsec-request@postel.org?subject=help>
List-Subscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: anonsec-bounces@postel.org
Errors-To: anonsec-bounces@postel.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52e1467c2184c31006318542db5614d5

Nicolas Williams wrote:
> On Thu, Dec 06, 2007 at 06:38:36PM -0500, Sam Hartman wrote:
>> What is the purpose of the connection states?  I see them enumerated but never used.
> 
> To help describe the process by which latches are created and torn down.
> 
>> Why must implementations make available nat state?  I'm unconvinced
>> that is well enough defined to actually be useful.

> I think this is Michael's requirement.
> 
>>    o  Any IPsec channel created with a given peer while another
>>       distinct, established IPsec channel exists with the same source
>>       and destination addresses SHOULD be bound to the same peer.
>>
>>
>> How does this interact with nats?
> 
> Hmmm, badly :)

If as you say, it's my requirement, let me remember why.
I thought that we had ruled NAT interaction as out-of-scope.

BTW: real world case where channel binding is necessary:


http://www.schneier.com/blog/archives/2007/12/defeating_the_s.html
...
   This works because the two security systems are decoupled. And the shoe
   screening machine is so crowded and chaotic, and so poorly manned, that no
   one notices the switch.




_______________________________________________

v2.23.0 | Report a Bug | By Email