Re: IPSEC standardization status

["Scott G. Kelly" <skelly@redcreek.com>]

My question is probably answered by Ted's post (which I just received),
but I'll toss this out anyway:

On March 9 additional ISAKMP ID payload types were referred to here -
following is a trimmed portion of that discussion:

Daniel Harkins wrote:
> Michael Richardson wrote: 
> >   Pertinent issues that are important to get working road
> > warrior/gateway tunnels:
> >       1. end client has no permanent IP address. The ID payload
> >       will therefore be FQDN or user@FQDN.
> 
> Or ID_DER_ASN1_DN-- the DER encoding of the DN of the certificate.
> 
> >       2. due to #1, and the fact that the ID payload is not sent
> >       until the third exchange, a road warrior can not use
> >       pre-shared-keys for ISAKMP using main mode. The right
> >       pre-shared-key can not be selected. Section 5.4 of
> >       isakmp-oakley-06.txt mentions this. Agressive mode can be
> >       used, but obviously, it does not provide identity protection.
> 
> This is mitigated by the use of the ID_KEY_ID type. From the DOI:
> 
>    4.6.2.12 ID_KEY_ID
> 
>       The ID_KEY_ID type specifies an opaque byte stream which may be
used
>       to pass vendor-specific information necessary to identify which
pre-
>       shared key should be used to authenticate Aggressive mode
>       negotiations.

<SNIP...>

Was there consensus on these additions to the ISAKMP doc? I would like
to see them added; would anyone else?

---

Follow-Ups:

• Re: IPSEC standardization status
• From: "Derrell D. Piper" <ddp@network-alchemy.com>

References:

• IPSEC standardization status
• From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

---

• Prev by Date: isakmp attrubute ordering question
• Next by Date: Re: [Karen Seo: Thomas Narten -- clarification, etc.]
• Prev by thread: IPSEC standardization status
• Next by thread: Re: IPSEC standardization status
• Index(es):
  • Main
  • Thread