[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: UBE/medium: Re: issues with IKE that need resolution



In message <199809181248.IAA07227@2gn.com>, Rodney Thayer writes:
>The requirement is -- we want one SA for multiple purposes
>
>The problem is -- expressing what we want gets complex, ugly,
>and possibly unworkable.
>
>I note also that rough consensus is that rfc822name and fqdn
>are, for all intents and purposes, a slab of printable characters.
>
>Why don't we add ONE ID type, LABEL, which is an "arbitrary printable
>string"?  It's meaning gets defined outside of IKE (but within bounds
>of the archtecture or something).  So then we'd say something like
>"id=banktellers" which means "telnet between 9 and 5 local time to
>host-a and FTP between 4 and 5 local time to host-b".  These 
>labels could be Policy Language (program names) or (gasp!) email addresses
>or driver's licence numbers or whatever you want.

I see your point, but I don't think that gets us where we need to be.
The fundamental problem is that users connect by name, IPsec operates
on addresses, and -- in some cases -- both of those are variable.  There
is a higher-level concept of "that machine", but it's not in the protocol
suite.  Adding a new label that nothing refers to doesn't solve the
problem; users still can't ask for it.