Subject: Re: IPSEC and user vs machine authentication
To: Bill Studenmund <>
From: Michael Richardson <>
List: tech-security
Date: 08/17/2005 09:22:20

>>>>> "Bill" == Bill Studenmund <> writes:
    Bill> I suggest you look at the channel binding work. It's not done
    Bill> AFAIK, but it takes a slightly different approach. Rather than
    Bill> look at the IPsec IDs, it just requires that both ends of an
    Bill> application authentication are using the same end-to-end IPsec
    Bill> negotiation; specifically they agree on a hash of the
    Bill> data. Doesn't matter what the IDs are, or even if they are
    Bill> expressable in terms of the application's ID space. It just
    Bill> matters that they agree.

    Bill> My gut instinct is that channel binding will be easier and
    Bill> safer in the long run than say using IPsec IDs for application
    Bill> level authentication.

  Bill, since I was too quick on the last one, (and I've now had another
swig of caffeine) let me continue:

  There are a number of classes of application where you don't care who
the end-user is, as long as they are the same user as they were last

  You may even use other authentication mechanisms the first time to
match the ID (expressed in the form of a public key!) to the user. You
can do this inband of the protocol, in IKE (XAUTH for instance), or even
out-of-band (SMB's certificate enrollment process). 

  Channel binding then replaces the in-band authentication that the
process would normally do, to assure everyone that they are not being

- -- 
] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls  [
] mcr @           Now doing IPsec training, see   |net architect[
]   |device driver[
]                    I'm a dad:                 [
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys