IETF Logo Mail Archive

Re: [IPsec] [ipsecme] #217: Temporary credentials

Yaron Sheffer <yaronf.ietf@gmail.com> Wed, 21 March 2012 22:26 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2742A21E8142 for <ipsec@ietfa.amsl.com>; Wed, 21 Mar 2012 15:26:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tQ2ScNiiOXm1 for <ipsec@ietfa.amsl.com>; Wed, 21 Mar 2012 15:26:05 -0700 (PDT)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3C5F821E80F1 for <ipsec@ietf.org>; Wed, 21 Mar 2012 15:26:05 -0700 (PDT)
Received: by werb10 with SMTP id b10so1592449wer.31 for <ipsec@ietf.org>; Wed, 21 Mar 2012 15:26:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=K9nFs5/U4/CF98Y9iErJ6CJycYGs9ziGj4cSGjg+edo=; b=MB0XfPsI/tOuxpUBVIfmgh649m1JEqU7AgLqBrwjU5D0lNLxvg5jtZi36iCXxXm+0t 3msTYTu329x+FYnW0qUhbrUctq19xcQxckR3y7f9FgNaLRK0UEZTGtRB6X65gSkLrZF0 A8+DCJ+0e7NU/AB9LvqqwT2ALEQdow0sdhsFA5rrKYvrAgPtTVdcVfb5jPbTwn1s7Su5 kzxKzhISpoTLfeBUqkLlhZYhtnz48B0VHBE1wapFByKRBFef/mEFNO4HY2yF7MYxxlvx 7F9UjNgUuB0hW53KJjxRG9rIlbbFP8f9jjjX4HycG6K0cbKvNKEL6lw0qb/2Gwo0kLHU 3ipw==
Received: by 10.216.135.196 with SMTP id u46mr3111909wei.114.1332368764338; Wed, 21 Mar 2012 15:26:04 -0700 (PDT)
Received: from [10.0.0.5] (bzq-79-182-168-20.red.bezeqint.net. [79.182.168.20]) by mx.google.com with ESMTPS id gg2sm207752wib.7.2012.03.21.15.26.03 (version=SSLv3 cipher=OTHER); Wed, 21 Mar 2012 15:26:03 -0700 (PDT)
Message-ID: <4F6A557A.1030604@gmail.com>
Date: Thu, 22 Mar 2012 00:26:02 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <CB8FB4BC.111E3%ghuang@juniper.net> <4F6A471D.8090606@gmail.com> <A235A223-4C24-40E7-97F9-49F070746EA4@checkpoint.com>
In-Reply-To: <A235A223-4C24-40E7-97F9-49F070746EA4@checkpoint.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Geoffrey Huang <ghuang@juniper.net>, Stephen Hanna <shanna@juniper.net>
Subject: Re: [IPsec] [ipsecme] #217: Temporary credentials
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2012 22:26:06 -0000

Hi Yoav,

When you say "local policy" you assume that spokes are smart enough (or 
well enough provisioned) to have such policy. My assumption OTOH was 
that the gateway is smarter, e.g. it knows what spokes are allowed to 
communicate directly or what kind of traffic is allowed to flow directly 
between spokes.

It may just be a semantic discussion, but the second bullet of your 
"introduction" is to me indistinguishable from authorization.

Thanks,
	Yaron

On 03/21/2012 11:48 PM, Yoav Nir wrote:
> I don't think there need to be authorization tokens, as authorization can be left to local policy.
>
> But there always needs to be some kind of "introduction" process, and it can take many forms:
>   - Yaron, Yoav is at 192.168.1.3. Use c80273f0f7dd5bdc10c38234616fde22 as PSK
>   - Yaron, Yoav is at 192.168.1.3. His certificate has DN: "CN=ynir,OU=something"
>
> In the first case, the "system" actually invented the credential, while in the second case it just tells you about it. So temporary credentials are not strictly necessary, but previous attempts to rely on pure PKI have been less than successful.
>
> Yoav
>
> On Mar 21, 2012, at 11:24 PM, Yaron Sheffer wrote:
>
>> The point of "temporary credentials" is that if these spokes normally
>> use EAP or PSK to authenticate to the gateway, they cannot use these
>> same credentials to auth to one another (because that would expose each
>> spoke to impersonation by the other one). So to support this scenario we
>> must have some other means of authentication.
>>
>> This raises an interesting question: if the spokes are authenticating
>> with certificates, they could in principle use the same credentials to
>> authenticate to one another. So the "temporary credentials" now become
>> *authorization* tokens, basically conveying to gateway's policy. Do we
>> really want to go down this path?
>>
>> Thanks,
>> 	Yaron
>>
>> On 03/21/2012 10:43 PM, Geoffrey Huang wrote:
>>> I don't understand what "temporary credentials" means.  If the intent is to have some transitive authentication (or redirection of trust hierarchy, at least) between a gateway and two spoke devices, which are trying to establish an ad-hoc connection, then I agree this would be important to have.
>>>
>>> -geoff
>>>
>>> From: Vishwas Manral<vishwas.ietf@gmail.com<mailto:vishwas.ietf@gmail.com>>
>>> Date: Wed, 21 Mar 2012 12:24:08 -0700
>>> To: Steve Hanna<shanna@juniper.net<mailto:shanna@juniper.net>>
>>> Cc: "ipsec@ietf.org<mailto:ipsec@ietf.org>"<ipsec@ietf.org<mailto:ipsec@ietf.org>>
>>> Subject: Re: [IPsec] [ipsecme] #217: Temporary credentials
>>>
>>> Hi Steve,
>>>
>>> I think this is an important requirement for sure.
>>>
>>> Thanks,
>>> Vishwas
>>>
>>> On Tue, Mar 20, 2012 at 6:36 PM, Stephen Hanna<shanna@juniper.net<mailto:shanna@juniper.net>>   wrote:
>>> Another issue to comment on.
>>>
>>> Steve
>>>
>>> -----Original Message-----
>>> From: ipsecme issue tracker [mailto:trac@tools.ietf.org<mailto:trac@tools.ietf.org>]
>>> Sent: Tuesday, March 20, 2012 7:01 PM
>>> To: yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>; draft-ietf-ipsecme-p2p-vpn-problem@tools.ietf.org<mailto:draft-ietf-ipsecme-p2p-vpn-problem@tools.ietf.org>
>>> Subject: [ipsecme] #217: Temporary credentials
>>>
>>> #217: Temporary credentials
>>>
>>>   Endpoints may require temporary credentials in order to establish a secure
>>>   connection to another endpoint.
>>>
>>>   Suggested Resolution: Put this in the requirements section.
>>>
>

v2.23.0 | Report a Bug | By Email