[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Non-IP type Client IDs

To: "'Mike Williams'" <mikewill@ibm.net>, Joern Sierwald <joern.sierwald@datafellows.com>
Subject: RE: Non-IP type Client IDs
From: "Mason, David" <David_Mason@nai.com>
Date: Fri, 20 Aug 1999 07:04:35 -0700
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

[snip]

>Without using something like USER_FQDN or KEYID, how can you have
>different phase 2 policies for different remote users.  I also believe
>that there are many cases when you will not be able to assign a fixed
>private IP address to the client.  Config Mode does help, but I don't
>know why we should preclude other options.

The certificate used in phase 1 differentiates between remote users.
If you're relying on a USER_FQDN in phase 2 to determine policy such
that user1@xxx.com is allowed access to all machines behind the gateway
and user2@yyy.com is only allowed access to a subset of machines,
user2@yyy.com will just stick user1@xxx.com in its phase 2 ID. I'd
prefer to restrict phase 2 IDs to IP addresses.  The certificate is
the identity of the remote peer, duplicating this identity in various
parts of the exchange(s) is redundant and unnecessary.

-dave

Follow-Ups:

Re: Non-IP type Client IDs

From: Mike Williams <mikewill@ibm.net>

Prev by Date: Re: Non-IP type Client IDs
Next by Date: Re: Non-IP type Client IDs
Prev by thread: Re: Non-IP type Client IDs
Next by thread: Re: Non-IP type Client IDs
Index(es):
- Main
- Thread