Subject: Re: IPSEC and user vs machine authentication
To: None <,>
From: Michael Richardson <>
List: tech-security
Date: 08/15/2005 11:43:46

>>>>> "Daniel" == Daniel Carosone <> writes:
    Daniel> Even if one trusts racoon with these credentials, there
    Daniel> doesn't appear to be any way to select which identity should
    Daniel> be used for a given socket, or to bind an identity with a
    Daniel> local uid, or to pass/delegate credentials to racoon per
    Daniel> user.  This has implications both for multi-user machines
    Daniel> (including 'non-credentialled processes' on single-user
    Daniel> machines), and for users who move between multiple machines.

    Daniel> I'm looking for the ability to have network connections
    Daniel> authenticated with IPSEC on a per-user basis (using
    Daniel> certificates, kerberos and/or XAUTH hybrid mode) via
    Daniel> encapsulation, both for applications and protocols without
    Daniel> native support for such mechanisms in the endpoints, and for
    Daniel> authenticated traversal of intermediate gateways.

  So, this was work that Bill Sommerfeld and I were trying to
standardize as a piece of work that many call "PF_POLICY" (but we didn't
want to actually make the API a socket-based one, leaving that for the
implementor to worry about).
  The first step was to do the opposite --- permit an application to ask
"how was this socket protected", with what you want being step two.

- -- 
] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls  [
] mcr @           Now doing IPsec training, see   |net architect[
]   |device driver[
]                    I'm a dad:                 [
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys