[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
>>>>> "Dave" == Dave Mason <dmason@tis.com> writes:
Dave> If it's marked as a non-mobile certificate in the policy database, the
Dave> database would restrict the ip addresses allowed for the remote
If it's not a mobile node, then your local policy database will have a
clear end-point for the router. So, even if they steal the router, drop
in in somewhere with a different IP address, the SA's that would be
allowed to be negotiated would be for the original location.
The names in the certificate are *not* policy information. They are
keys to policy information. If you use the stuff *as* policy information,
then you are going to get hosed. Use KeyNote or something instead if you
want scaling beyond your local config file.
:!mcr!: | Network and security consulting/contract programming
Michael Richardson | Firewalls, TCP/IP and Unix administration
Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>.
ON HUMILITY: To err is human, to moo bovine.
References: