IETF Logo Mail Archive

Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-erx-00

Yoav Nir <ynir@checkpoint.com> Fri, 06 May 2011 18:03 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83A8BE07CD; Fri, 6 May 2011 11:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.792
X-Spam-Level:
X-Spam-Status: No, score=-8.792 tagged_above=-999 required=5 tests=[AWL=1.806, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19-Jxaovi9f8; Fri, 6 May 2011 11:02:59 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id EB707E07CC; Fri, 6 May 2011 11:02:58 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id p46I2TXS008219; Fri, 6 May 2011 21:02:30 +0300
X-CheckPoint: {4DC444E3-1-1B221DC2-FFFF}
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.2.255.0; Fri, 6 May 2011 21:02:29 +0300
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Fri, 6 May 2011 21:02:29 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Date: Fri, 6 May 2011 21:02:27 +0300
Thread-Topic: [IPsec] New I-D: draft-nir-ipsecme-erx-00
Thread-Index: AcwMF8NZEbl1lUmmQRi8xpHfWp0UsA==
Message-ID: <624EB8DD-96F6-422A-A2DE-B02A0507BF14@checkpoint.com>
References: <006FEB08D9C6444AB014105C9AEB133F013ABE025E24@il-ex01.ad.checkpoint.com> <4DBF19F4.6050804@gmail.com> <95F1A883-8213-4A57-911B-E660E02A3117@checkpoint.com> <00a401cc09fd$b152ef00$46298a0a@china.huawei.com> <8CAC67D8-623B-4738-89B0-4A72C3C7AF95@checkpoint.com> <b94047babd6474117f7734354425dc0b.squirrel@www.trepanning.net> <BAE19B87-DE7A-4306-B3F0-D171580BCE57@checkpoint.com> <86c7cd758de89a6f640f8e55faff11ee.squirrel@www.trepanning.net> <F27D10DD-0B3A-4BA1-AF42-9D814C761804@checkpoint.com> <6c5908c5ea31d90ed1a8f96b57bf2d72.squirrel@www.trepanning.net> <FC252A0F-BCF3-458D-B2C1-68CCF64F583F@checkpoint.com> <4DC30B68.70202@gmail.com>
In-Reply-To: <4DC30B68.70202@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_624EB8DD96F6422AA2DEB02A0507BF14checkpointcom_"
MIME-Version: 1.0
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "hokey@ietf.org" <hokey@ietf.org>
Subject: Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-erx-00
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2011 18:03:00 -0000

On May 5, 2011, at 11:41 PM, Yaron Sheffer wrote:

Hi,

I think we are going down a rathole on the issue of "authenticated identity". Most IKE gateways, like many other security devices, normally make policy decisions based on groups. I will provide secure connectivity to anybody@this-isp.com<mailto:anybody@this-isp.com>, but not to anybody@that-isp.com<mailto:anybody@that-isp.com>. But I don't want to differentiate john@isp.com<mailto:john@isp.com> from jane@isp.com<mailto:jane@isp.com>.

True, but often we cut the groups finer than that. If John works in sales and Jane works in R&D, they may have different authorizations (John does not go near the source control, Jane does not get to see the financial statement to be published next week). To negotiate the appropriate selectors, the gateway needs some group information. This can be done by abusing some RADIUS attribute to convey policy information, or else by querying a directory with the username received in EAP.

With ephemeral identities I don't see how this could work, unless we assume that there is a way for the gateway to query the AAA about some attributes of the user behind the EMSKNAme.


It seems to me RFC 4306/5996 took the concept a bit further than RFC 4301 ever intended (in fact I believe the text is new to RFC 5996). Presumably, when we talk about identity-based policy decisions, we refer to http://tools.ietf.org/html/rfc4301#section-4.4.3. This text (and the following section) explicitly allows for "bulk" policies that apply to "@example.com".com", i.e. anybody at that domain. And such coarse granularity may be sufficient in practice for inter-ISP traffic: ISP1 may be happy to provide secure connectivity to ISP2's customers and take a cut of the business, even if it doesn't know the exact identity of each customer and cannot contact them, bill them or log their names.

So I would suggest that the draft should mention that no individual authenticated identity is available in the typical case (and this is unfortunately in conflict with RFC 5996), but the obscured identity provided in RADIUS Access-Accept can be used to make legitimate policy decisions.

I'm not even sure of that. Qin, does ERP give us the domain name of the original authenticating server?  Do we even know if the user came from this-isp or that-isp?


Thanks,
    Yaron

v2.8.7 | Report a Bug | By Email