Subject: Re: IPSEC and user vs machine authentication
To: None <firstname.lastname@example.org>
From: =?iso-8859-1?q?Love_H=F6rnquist_=C5strand?= <email@example.com>
Date: 08/15/2005 19:35:30
Daniel Carosone <firstname.lastname@example.org> writes:
> Right now, there are two paths into having a particular network
> connection (say, a TCP session) encrypted/authenticated with IPSEC:
> either via the setkey packet-filter SPD, or via per-socket policy set
> by the application.
> There are similarities in requirements here for other kernel-mediated
> network activities that may involve authentication, too, such as
> potential Kerberised-RPC NFS or SMBFS. Are there any facilities for
> this I have missed, prior art, thoughts, designs, active work,
> comments, etc?
Pushing down the credential into IKE is one way to do it.
Another way is to not care about what credential IKE negotiated, but rather
just use the channel and bind it to your applications security context
negotiation. One way to do that would be to fold something like IKE
equvalent of secsh's `The exchange hash H' into your applications
The this one of BTNS working groups items.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (NetBSD)
-----END PGP SIGNATURE-----