[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

matching GW addr to ID payload (fwd)



I have a question that I hope some of you out there can help me answer.
The scenario is this:  Say I have a host machine using IKE/IPSEC which has
multiple aliases for the same interface (or multiple interfaces routable
to the same remote peer).  When I start a IKE negotiation to the remote peer
the IKE implementation does not have control over which interface address
gets inserted in the UDP packet.  If I wish to use an IPV4 address in the
identity payload, my IKE implementation will choose the IPV4 address to use
in the ID payload based on the IKE implementations configured policy.

My question is, what happens if the IPV4 address selected in the ID payload
does not match the actual source address contained in the packet?  I know for
the pre-shared key case, this won't (or shouldn't) work (at least for Phase
1 using Main Mode), since the actual remote address used to send the packet
is used to determine the pre-shared key used to authenticate the session.
But how should this be handled for signature based authentication?  If the
IPV4 address specified in the identity payload matches the IP address in
the subjectAltName extension of the cert used for sig authentication and
this matches the IKE local policy, does it need to match the actual
address received from the packet? 

And what if there is no ip address in the subject-alt name?  Is it then
a requirement that the actual gateway match the IPV4_ADDR identity?

How would implementations out there handle this scenario?  Has anyone 
else thought of how to handle multiple interface aliases so that ISAKMP 
does "the right thing".
 
Thanks in advance.

---
Tylor Allison         tylor_allison@securecomputing.com
Secure Computing Corporation



Follow-Ups: