Re: [Softwires] WG last call on the security document
Tero Kivinen <kivinen@kivinen.iki.fi> Tue, 04 December 2007 18:03 UTC
Return-path: <softwires-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Izc6q-0002HY-41; Tue, 04 Dec 2007 13:03:04 -0500
Received: from softwires by megatron.ietf.org with local (Exim 4.43) id 1Izc6o-0002H4-OQ for softwires-confirm+ok@megatron.ietf.org; Tue, 04 Dec 2007 13:03:02 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Izc6o-0002Gr-E2 for softwires@ietf.org; Tue, 04 Dec 2007 13:03:02 -0500
Received: from fireball.acr.fi ([83.145.195.1] helo=mail.kivinen.iki.fi) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Izc6n-0008TF-Rh for softwires@ietf.org; Tue, 04 Dec 2007 13:03:02 -0500
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.13.8/8.12.10) with ESMTP id lB4I30As000464 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <softwires@ietf.org>; Tue, 4 Dec 2007 20:03:00 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.13.8/8.12.11) id lB4I30bw003530; Tue, 4 Dec 2007 20:03:00 +0200 (EET)
Resent-From: kivinen@kivinen.iki.fi
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@kivinen.iki.fi using -f
Resent-Message-ID: <18261.38484.640268.299020@fireball.kivinen.iki.fi>
Resent-Date: Tue, 04 Dec 2007 20:03:00 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <18261.37926.618427.654857@fireball.kivinen.iki.fi>
Date: Tue, 04 Dec 2007 19:53:42 +0200
From: Tero Kivinen <kivinen@kivinen.iki.fi>
Resent-to: softwires@ietf.org
To: softwires@ietf.org
Subject: Re: [Softwires] WG last call on the security document
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 5 min
X-Total-Time: 14 min
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
Resent-Date: Tue, 04 Dec 2007 13:03:02 -0500
Cc: Pasi.Eronen@nokia.com
X-BeenThere: softwires@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: softwires wg discussion list <softwires.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/softwires>
List-Post: <mailto:softwires@ietf.org>
List-Help: <mailto:softwires-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=subscribe>
Sender: softwires-bounces@ietf.org
Errors-To: softwires-bounces@ietf.org
When I was talking about IPsec transport mode NAT-T with some other
people (i.e. what to say about transport mode and NAT-T in the
ikev2bis), we noticed another problem with the current PAD / SPD
entries. The problem is that if the client is coming from behind NAT
we cannot know the SI_address. We could know the NAT_SI_address,
provided the initiator is using some kind of static nat system, but
with the roaming cases, we do not know anything about the source
address.
This means that PAD on the SC should be:
SC PAD:
- IF remote_identity = user_1
Then authenticate (shared secret/certificate/EAP)
and authorize CHILD_SAs for symbolic name "l2tp_spd_entry"
And the SPD-S would be:
- IF name="l2tp_spd_entry"
local_address=IPv4-SC
remote_address=ANY (PFP=1)
next_layer_protocol=UDP
local_port=1701
remote_port=ANY (PFP=1)
Then use SA ESP transport mode
I.e. we create symbolic name in the PAD which says that user_1 can
create SAs as specified by the SPD entry matching that name. Then we
add that name to the SPD entry, so user_1 can only use that specific
SPD entry. In normal case we of course have lots of different PAD
entries (or just one, using for example partial distinguished name
matching) but they can each map to the same SPD entry only allowing
them to use L2TP.
--
kivinen@safenet-inc.com
_______________________________________________
Softwires mailing list
Softwires@ietf.org
https://www1.ietf.org/mailman/listinfo/softwires
- [Softwires] WG last call on the security document Alain Durand
- [Softwires] WG last call on the security document Tero Kivinen
- Re: [Softwires] WG last call on the security docu… Florent Parent
- Re: [Softwires] WG last call on the security docu… Tero Kivinen
- Re: [Softwires] WG last call on the security docu… Tero Kivinen
- Re: [Softwires] WG last call on the security docu… Florent Parent
- Re: [Softwires] WG last call on the security docu… Florent Parent