Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-erx-00

[Yoav Nir <ynir@checkpoint.com>]

On May 5, 2011, at 9:17 AM, Dan Harkins wrote:

> 
>  Hello,
> 
> On Wed, May 4, 2011 10:45 pm, Yoav Nir wrote:
>> 
>>> 
>> 
>> OK. I see what you mean. Certificates are not necessarily better. She
>> might have a certificate with a subject like
>> "UID=alice,OU=people,O=intranet,DC=example,DC=com", or the AAA server
>> might call her "emp715".  Either can serve. The VPN gateway needs the
>> identity for two thing:
>> - For policy lookup. As long as the policy database uses the same name,
>> we're fine.
>> - For generating logs. There should be a way to map the name in the logs
>> to the real person, but I guess this re-conciliation of usernames and
>> real names can be done either in generating the logs or in viewing the
>> logs.
> 
>  Assuming the CA is trustworthy and the peer authenticated with that
> certificate then you know that the identity named by the subject name
> in the certificate is who that peer is. You can make a definitive
> statement about it (although I'm not sure what attributes UID or DC are).
> 
>  "emp715" returned in an Access-Accept means nothing because it's
> meaningful when used with an EAP method of X inside a realm/domain of Y
> and you don't know what either X or Y are. So you can't make any
> definitive statement about "emp715".

Depending on how large your federation is, "emp715" may be unique. In the simplest setup - one RADIUS server that holds records for all employees, it probably is unique. Otherwise, it should probably be in the form of emp715@example.com. In both cases it should be enough to later map to a real person. If it's not, then the AAA setup has not been done right.

> 
>> Any implementation using EAP has users that are either satisfied with
>> "emp715" or use a directory to convert that in the logs to a more
>> meaningful names.
> 
>  Not to belabor the point, but a user could have an authenticated
> identity of "emp715" in one realm/domain (that you don't know) and
> a completely different user could have an authenticated identity of
> "emp715" in a completely different realm/domain (that you also don't
> know). Treating them the same is probably not a wise thing to do from
> a policy enforcement standpoint.

I think it's up to administrators to make sure that names are unique and traceable. If RADIUS has a record for Alice, with identifier "emp715", and when the VPN gateway looks up this string it gets an entry for Bob, it's a deployment error.

Besides, I think we're derailing the conversation. We have to assume that EAP works somehow, otherwise we're not going to do ERP. The question is how to get around the ephemeral identities transmitted in ERP.

> 
>  (There's a guy named "Dan Harkins" that owns a chain of theaters in
> the state of Arizona in the US. I am not that man and I don't live in
> Arizona, but I have received phone calls expressing outrage over the kind
> of films that "I" show in "my" family theater, and asking why "I" stopped
> giving out free popcorn to patrons on their birthday. I receive these
> calls because people take a name, stripped of all context, and assume
> something about it. And that is a mistake).

Strange. I never get calls from people asking for diaper advice.
http://www.yoavnir.com

Yoav (not a diaper consultant)