Hi Yoav,
When you say "local policy" you assume that spokes are smart enough (or
well enough provisioned) to have such policy. My assumption OTOH was
that the gateway is smarter, e.g. it knows what spokes are allowed to
communicate directly or what kind of traffic is allowed to flow directly
between spokes.
It may just be a semantic discussion, but the second bullet of your
"introduction" is to me indistinguishable from authorization.
Thanks,
Yaron
On 03/21/2012 11:48 PM, Yoav Nir wrote:
I don't think there need to be authorization tokens, as authorization can be
left to local policy.
But there always needs to be some kind of "introduction" process, and it can
take many forms:
- Yaron, Yoav is at 192.168.1.3. Use c80273f0f7dd5bdc10c38234616fde22 as PSK
- Yaron, Yoav is at 192.168.1.3. His certificate has DN:
"CN=ynir,OU=something"
In the first case, the "system" actually invented the credential, while in the
second case it just tells you about it. So temporary credentials are not strictly
necessary, but previous attempts to rely on pure PKI have been less than successful.
Yoav
On Mar 21, 2012, at 11:24 PM, Yaron Sheffer wrote:
The point of "temporary credentials" is that if these spokes normally
use EAP or PSK to authenticate to the gateway, they cannot use these
same credentials to auth to one another (because that would expose each
spoke to impersonation by the other one). So to support this scenario we
must have some other means of authentication.
This raises an interesting question: if the spokes are authenticating
with certificates, they could in principle use the same credentials to
authenticate to one another. So the "temporary credentials" now become
*authorization* tokens, basically conveying to gateway's policy. Do we
really want to go down this path?
Thanks,
Yaron
On 03/21/2012 10:43 PM, Geoffrey Huang wrote:
I don't understand what "temporary credentials" means. If the intent is to
have some transitive authentication (or redirection of trust hierarchy, at least) between
a gateway and two spoke devices, which are trying to establish an ad-hoc connection, then
I agree this would be important to have.
-geoff
From: Vishwas Manral<[email protected]<mailto:[email protected]>>
Date: Wed, 21 Mar 2012 12:24:08 -0700
To: Steve Hanna<[email protected]<mailto:[email protected]>>
Cc:
"[email protected]<mailto:[email protected]>"<[email protected]<mailto:[email protected]>>
Subject: Re: [IPsec] [ipsecme] #217: Temporary credentials
Hi Steve,
I think this is an important requirement for sure.
Thanks,
Vishwas
On Tue, Mar 20, 2012 at 6:36 PM, Stephen
Hanna<[email protected]<mailto:[email protected]>> wrote:
Another issue to comment on.
Steve
-----Original Message-----
From: ipsecme issue tracker
[mailto:[email protected]<mailto:[email protected]>]
Sent: Tuesday, March 20, 2012 7:01 PM
To: [email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>
Subject: [ipsecme] #217: Temporary credentials
#217: Temporary credentials
Endpoints may require temporary credentials in order to establish a secure
connection to another endpoint.
Suggested Resolution: Put this in the requirements section.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
