[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

More questions on ID types

To: ipsec@tis.com, ddp@network-alchemy.com
Subject: More questions on ID types
From: Vipul Gupta <vgupta@nobel.Eng.Sun.COM>
Date: Fri, 26 Jun 1998 12:38:23 -0700 (PDT)
Cc: vgupta@nobel.Eng.Sun.COM
Reply-To: Vipul Gupta <vgupta@nobel.Eng.Sun.COM>
Sender: owner-ipsec@ex.tis.com


   I thought I understood the role of IDs but I am not so sure any more.
   I hope some one on this list can help. I used to think that the 
   (mandatory) IDs in phase I identify ISAKMP participants (the initiator
   and responder) and (optional) phase II IDs identify clients, 
   such as subnets, for which the ISAKMP participants negotiate
   tunnel-mode IPSec SAs. A typical scenario might be two firewalls
   that use ISAKMP to negotiate IPSec SAs for two subnets -- each subnet
   represents a branch office and hosts on these subnets wish to 
   communicate across the Internet using a secure tunnel.
   
   According to the latest ISAKMP draft, the only ID types allowed in
   phase I are: ID_IPV4_ADDR, ID_IPV6_ADDR, ID_IPV4_ADDR_SUBNET,
   ID_IPV6_ADDR_SUBNET. With the reasoning above, I can see how the
   first two make sense as IDs for phase I. However, the latter two
   ID types seem more appropriate for use in phase II.

   I have some concerns about limiting phase I IDs to these four types.
   I am interested in the use of IPSec in remote access scenarios
   (details in draft-gupta-ipsec-remote-access-00.txt). In particular,
   I'd like to use IPSec to securely connect a road warrior (attached
   to the Internet using a dynamic, ISP-allocated address) to his
   corporate Intranet. In order to minimize the changes required within
   the Intranet, I'd like to use IPSec in "end-to-edge" mode
   i.e. from the remote computer (R) to an IPSec gateway (G) on the
   Intranet's periphery. Most Intranets assume mutual trust between
   internal hosts and use addresses that are not advertised on the
   Internet (even when they are globally unique). Private addresses
   on the Intranet can be handled by using NAT  (network address and
   port translation) or dynamically assigning the remote host an
   internal address (as described in the ISAKMP configuration draft).
   However, before anything else,  R must set up an ISAKMP SA with G.
   Assuming that preshared keys are used for phase I authentication,
   R needs to convey an identity that G can use to look up its preshared
   secret associated with R (or the employee authorized to use R).
   Since R communicates with G using a dynamic ISP address, what 
   identity type should it use in phase I -- ID_IPV4_ADDR doesn't 
   help because there is no "fixed" address associated with the
   portable that could be used to look up the preshared secret.
   
   If ID_USER_FQDN or ID_KEY_ID were allowed as valid phase I 
   ID types, they could be used effectively in this situation.

   Am I missing something here? Thanks for your time.     
   
   vipul
   
   
> To: Vipul Gupta <vgupta@nobel.eng.sun.com>
> cc: ipsec@tis.com, vipul.gupta@Eng
> Subject: Re: Question about ID types in IPSEC DOI 
> Date: Thu, 25 Jun 1998 18:27:28 -0700
> From: "Derrell D. Piper" <ddp@network-alchemy.com>
> 
> Vipul,
> 
> The is a actually a bug in the current DOI.  Since the last draft of ISAKMP,
> the IPSEC DOI ID types apply only to Phase 2 negotiations.  The valid Phase 1
> types are now listed in the ISAKMP draft (and are much more limited).  
> 
> The ID_KEY_ID type predates the ISAKMP Vendor ID payload and should probably
> be deprecated in favor of that, since it's essentially a private extension.
> 
> Who's using this type in Phase 1?
> 
> Derrell
>

Prev by Date: Re: Does IPsec undermine PKI?
Next by Date: Re: Question about ID types in IPSEC DOI
Prev by thread: RE: Question about ID types in IPSEC DOI
Next by thread: RE: More questions on ID types
Index(es):
- Main
- Thread