[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC standardization status
My question is probably answered by Ted's post (which I just received),
but I'll toss this out anyway:
On March 9 additional ISAKMP ID payload types were referred to here -
following is a trimmed portion of that discussion:
Daniel Harkins wrote:
> Michael Richardson wrote:
> > Pertinent issues that are important to get working road
> > warrior/gateway tunnels:
> > 1. end client has no permanent IP address. The ID payload
> > will therefore be FQDN or user@FQDN.
>
> Or ID_DER_ASN1_DN-- the DER encoding of the DN of the certificate.
>
> > 2. due to #1, and the fact that the ID payload is not sent
> > until the third exchange, a road warrior can not use
> > pre-shared-keys for ISAKMP using main mode. The right
> > pre-shared-key can not be selected. Section 5.4 of
> > isakmp-oakley-06.txt mentions this. Agressive mode can be
> > used, but obviously, it does not provide identity protection.
>
> This is mitigated by the use of the ID_KEY_ID type. From the DOI:
>
> 4.6.2.12 ID_KEY_ID
>
> The ID_KEY_ID type specifies an opaque byte stream which may be
used
> to pass vendor-specific information necessary to identify which
pre-
> shared key should be used to authenticate Aggressive mode
> negotiations.
<SNIP...>
Was there consensus on these additions to the ISAKMP doc? I would like
to see them added; would anyone else?
Follow-Ups:
References: