[anonsec] details of IKE/IPsec channel binding

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
    Nicolas> That's because EAP, by its applicability, would be used in
    Nicolas> IPsec VPN-type use cases, and so the end-points of the
    Nicolas> channel would be the client and the SG, which have already
    Nicolas> authenticated each other, so why authenticate again at the
    Nicolas> application layer?

  Because the application layer isn't aware of whether or not the "VPN"
is actually active or not. Take the case of a laptop doing an NFS mount
of a server (assume NFS server and VPN gateway are co-located, such as 
happens with a small office server).
  When at "home", there is no tunnel, so the application needs to
authenticate. When remote, it can exploit the IPsec tunnel that exists.

  (Ironically, if you have any hardware offload on the gateway, it would
actually be better to use the IPsec all the time, since the hardware is
likely faster, and you can, when local, probably get more use of it...)
  
    Nicolas> Well, the channel binding could be done inside EAP, and
    Nicolas> this could be used to enroll client public keys (a useful
    Nicolas> use case if you want to do two-factor authentication where
    Nicolas> one factor is a BTNS key and it is enrolled by one-time
    Nicolas> one-factor authentication).

  But, it still doesn't tell the application that it can avoid a second
layer of encryption.

    Nicolas> Look at RFC2743 or RFC2744 and look at the function
    Nicolas> signatures for
    Nicolas> GSS_Init_sec_context()/GSS_Accept_sec_context().

    Nicolas> In the GSS-API (and in SASL/GS2) channel bindings are as an
    Nicolas> input to a black box at each peer -- both have to provide
    Nicolas> the same channel binding octet strings, else -> failure[*].

    Nicolas> The black box can (and does, e.g., in the case of the
    Nicolas> Kerberos V GSS mech) cause hashes/MACs of the channel
    Nicolas> bindings octet strings to be exchanged.

  But are they compared with memcmp(), or with a function?

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRhT6i4CLcPvd0N1lAQLadQf/aF7ijAQb1YX4dU76e64h6PUSfsdGiM2z
WOPjFE5FPWH3/N4es/W3cVRZ/fD4+oEeZPG1xyFOOl8/6fF+RYUvypXx3FgQJvsk
pUhKkTmH5AAZSoJLD7H6tQXCRwPCJwQWP6zrIG1nSDjXPzlKUsCDPBgn8ai15l/L
6u6fjY96SUJemeCi23rTkKDpPPBiXM1QcmMlsgyzCjYLddgBNCLzbRNf8nmpH9h4
dcaz6ZJDPVlXzs8K8r0PmW8eYmJ3/kVvvE06Nqe/zf7d2XT/+y6fK4hBoCjTV4Rd
xiwdrnyOA1C46SkdtWVas7wO/KgLyFU58q15u53EA3Pae1QuFyqZWg==
=op6d
-----END PGP SIGNATURE-----