[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Non-IP type Client IDs

To: Mike Williams <mikewill@ibm.net>
Subject: Re: Non-IP type Client IDs
From: Shawn Mamros <smamros@nortelnetworks.com>
Date: Fri, 20 Aug 1999 11:13:59 -0400
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

>The first alternative is that the initiating system sends the USER_FQDN as
>IDci in quick mode.  This allows the gateway to lookup policy based on
>client IDs, however the gateway must then assume that the selectors to use
>in IPSec are the initiators IP Address (rather than IDci) and IDcr.

But in that "first alternative", what is being used for IDii in Phase 1?
If you're really authenticating the user, it MUST be the same as what
you propose to use as IDci, or else something that maps one-for-one
to that user.  Otherwise, you're not authenticating the user at all,
as the authentication that is taking place isn't based on any user
credentials, but rather on the credentials for IDii, whatever that
may be.  You would then be implicitly trusting IDii to act as a "proxy"
for that user somehow.  Is that really what you want to do?

-Shawn Mamros
E-mail to: smamros@nortelnetworks.com

Prev by Date: Re: Non-IP type Client IDs
Next by Date: RE: Non-IP type Client IDs
Prev by thread: Re: Non-IP type Client IDs
Next by thread: RE: Non-IP type Client IDs
Index(es):
- Main
- Thread