[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mutiple phase 1 tunnel and proxy ID issues



Hello, Bronislav.

> Mobile User's IP address is contained in all packets coming out of the mobile
> host (Source Address). Why do we need explicitly supply it in Phase 2 ID? What
> if his IP Address used in Phase 2 ID doesn't match the Source Address of his
> packets for some reason? If we bother to check this match, why don't we just
> use the Source IP Address to do the mapping and get away with using IP Address
> as a Phase 2 ID?
> 
> In other words ID->IP translation could be done by mapping Phase 1 User ID
> (USER_FQDN, FQDN, DN) to Source IP Address of any packets arriving from this
> host.

I suppose, there could be a (theoretical) threat using an 
unauthenticated IDui in Phase II (which is the case when I take the 
IP address from the packet header or, as proposed too, when 
(insecure) DNS lookup is used to determine it from DN / FQDN ), but I 
can't proove it, yet. 
May be a real cryptographer could help... 

Kai

# Kai Martius                                                           #
# Dpt. of Medical CS and Biometrics / Dresden University of Technology  #
# PGP Fingerprint: to be compared after download of my key              #
# Key and more info (especially IP-security related) see my Homepage    #
# http://www.imib.med.tu-dresden.de/imib/personal/kai.html              #


References: